Federal agencies have until 2024 to implement various security measures — like multi-factor authentication (MFA) and network traffic encryption — as part of a zero-trust architecture strategy the House finalized on Wednesday. White.
The newly released memorandum is a product of President Joe Biden’s Cybersecurity Executive Order 14028 last year, which first directed the government to develop various security mandates for agencies, including a zero-trust approach, in order to protect against cyberattacks. The finalized strategy follows a first draft released for public comment in September.
While traditional network security models assume that endpoints and users within organizational networks can be implicitly trusted, the zero-trust approach considers scenarios such as threat actors who have stolen information legitimate account credentials as well as insider threats. This type of model encourages continuous monitoring and authentication of each endpoint on the assumption that no actor, system, network or service within the “security perimeter” can be trusted. CISA Director Jen Easterly said in a statement Wednesday that zero trust is a “key element” in the effort to modernize and strengthen America’s cyber defenses.
“As our adversaries continue to seek innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” CISA Director Jen Easterly said in a statement Wednesday. “CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a common maturity baseline.”
The finalized strategy requires that federal personnel have accounts managed by the company and that their devices are constantly tracked and monitored. Also under the memo, various agency systems must also be isolated from each other, all DNS requests and HTTP traffic must be encrypted, and enterprise applications will be tested both internally and externally. Implementing strong identity and access controls – including multi-factor authentication – is also a priority of the strategy. Federal security teams and data teams will need to work together to develop rules that will detect and block unauthorized access to sensitive information.
“This strategy establishes a new foundation for access controls across government that prioritizes defense against sophisticated phishing and forces agencies to consolidate identity systems so that protections and monitoring can be applied consistently,” according to the memo.
The memo acknowledged that “the transition to a zero-trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the federal government,” as federal agencies will need to overcome various hurdles such as managing legacy hardware. and adaptation to new practices.
“Embracing zero trust will make a huge difference in federal cybersecurity, as long as the government keeps the pedal to the metal and keeps moving forward.”
Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ, said the biggest challenge in the transition to zero trust is “keeping teams on the path to progress.”
“It’s a painstaking effort to gather metadata, map the interactions between workloads and applications, and then define a policy to prevent unauthorized access to a large organization’s data,” he said. -he declares. “Embracing zero trust will make a huge difference in federal cybersecurity, as long as the government keeps the pedal to the metal and keeps moving forward.”
Mark Montgomery, a senior fellow at the Foundation for Defense of Democracies, said while it’s good to see a strong push on improving and tightening access controls, the “key to success” in implementing Implementation of this strategy will be oversight by the federal CISO (part of the White House branch of the Office of Management and Budget).
“We will need to ensure that the Federal CISO and the National Director of Cyberspace have the resources to perform the oversight necessary to enforce this implementation plan,” he said.
The federal zero trust strategy requires government agencies to achieve their various security goals by the end of fiscal year 2024. Agencies must also designate a lead implementer of the zero trust strategy for their organizations in 30 days following publication of the memorandum; and they must submit individual implementation plans that meet the requirements to the Office of Management and Budget within 60 days. The memo noted that agencies will need to find funding internally for fiscal years 2022 and 2023 to meet zero trust implementation requirements, or seek funding from alternative sources, such as working capital or the Technology Modernization Fund, a funding model. for various federal technology modernization projects.
The memo is just the latest effort by the White House to strengthen security policies across all different parts of the federal government. Earlier in January, for example, Biden signed a national security memorandum that aims to better secure information systems that store and process classified data.
Overall, the memo’s requirements for government agencies to “verify anything and everything attempting to establish access” represent a paradigm shift for the government’s approach to cybersecurity, Reiber said.
“In the case of the SolarWinds intrusion, the intruder moved laterally through US government networks because there were no internal walls to stop this movement,” he said. “The memo highlights the need for new policy and higher internal firewalls between workloads, applications, and servers to prevent unauthorized movement – all key components of zero trust – and that’s exactly what is needed to bring about change.”