Federal government agencies will adopt zero trust cybersecurity principles to meet specific standards and objectives as newly detailed by the Office of Management and Budget (OMB), according to a new memorandum issued by the supervisory office.
In a zero trust model, no actor, system, network or service operating outside or within the security perimeter is trusted. Everything every time must be verified prior to access. It represents a dramatic shift from how infrastructure, networks and data have been secured in federal agencies for years. In increasing numbers, both the public and the private sector are navigating towards the security framework.
MSSPs and their cybersecurity platform providers are attune to the Zero Trust trend. True believers include BlackBerry and the company' Cylance team -- which has been evangelizing Zero Trust strategies to MSSPs for quite some time.
Zero Trust Federal Government Mandate Explained
The OMB's directive is fine-tuned to a federal zero trust architecture specific to government agencies. It requires agencies to meet specific cybersecurity standards and objectives by FY 2024, ended September 30, 2024. The goal is to bolster the government’s defenses against advanced persistent threat (APT) campaigns that target critical infrastructure.
“In the current threat environment, the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” the OMB. Russian hackers have repeatedly gone after federal agencies and critical infrastructure such as water, energy and natural gas pipelines.
The zero trust initiative is tied to a cybersecurity executive order President Biden issued in May, 2021 that launched a sweeping government-wide effort to ensure that baseline security practices are in place, to migrate the federal government to zero trust and move on premise systems to the cloud.
Federal Government Cybersecurity: Key Considerations
According to the memo, government agency cybersecurity would look like this:
- Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
- The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
- Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
- Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
- Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
“Federal applications cannot rely on network perimeter protections to guard against unauthorized access,” the agency said. “Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near term, every application should be treated as internet-accessible from a security perspective.”
Cybersecurity and Infrastructure Security Agency (CISA) Offers Zero Trust Guidance
Agencies have until February 26, 2022 to assign a lead person to coordinate with the federal government on implementing a zero trust model. In turn, the OMB and the Cybersecurity and Infrastructure Security Agency (CISA) will work with agencies throughout the process to capture best practices, lessons learned and jointly maintain a website at zerotrust.cyber.gov
The strategy also calls on federal data and cybersecurity teams "within and across agencies” to jointly develop pilot programs and guidance on categorizing data based on security needs, with an end goal to automate security access rules.
“Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the federal government,” the OMB said in the memo.
