The White House has instructed federal agencies to officially move towards a zero trust approach to cybersecurity to reduce the risk of cyberattacks against the government’s digital infrastructure.

The federal strategy, released by the Office of Management and Budget (OMB), represents a crucial step in delivering on President Biden’s Executive Order on Improving the Nation’s Cybersecurity. 

Zero trust will help agencies detect, isolate, and respond to different types of threats more rapidly. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the federal government to a new cybersecurity paradigm that will help protect public safety, privacy and infrastructure. While the concept behind zero trust is not new, the implications of shifting away from “trusted networks” are new to most enterprises, including many agencies, the OMB said. 

The strategy requires agencies to meet specific cybersecurity standards and objectives by the end of 2024. In addition, the strategy places a significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA), and envisions a government where: 

• Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
• The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
• Agency systems are isolated, and the network traffic flowing between and within them is reliably encrypted.
• Enterprise applications are tested internally and externally and can be made available to staff securely over the internet.
• Federal security teams and data teams work together to develop data categories and security rules to automatic.

“Security is the cornerstone of our efforts to build exceptional digital experiences for the American public,” said Federal Chief Information Officer Clare Martorana. “Federal agency CIOs and IT leadership are leaning into this challenge, and the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”

The strategic goals established by the OMB align with the Cybersecurity and Infrastructure Security Agency (CISA) ’s five pillars:

1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects personnel from sophisticated online attacks.

2. Devices: The federal government has a complete inventory of every device it operates and authorizes for government use, and can prevent, detect, and respond to incidents on those devices.

3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.

4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.

5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data and have implemented enterprise-wide logging and information sharing.

Lucas Budman, CEO, TruU, explains, “The initial step in any successful zero trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations. It’s also important in a zero trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You must understand the device’s posture when accessing the network to provide proper device-level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected. In any case, simultaneous device risk data and identity authentication allow users to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.”

“As part of any digital transformation, zero trust networks should be a key initiative that focuses on securing resources (data, identities, and services), rather than securing physical networks,” explains Anurag Gurtu, CPO, StrikeReady. “By focusing on tailored controls around sensitive data stores, applications, systems, and networks, the zero trust model shifts the focus away from varying types of authentication and access controls. The zero trust initiative should be supported by other key initiatives such as modernizing the security operations as well as uniting and empowering cyber defenders. Without one of these, an organization’s security will be shaky at best.”

OMB and CISA will work with agencies throughout zero trust implementations to capture best practices, lessons learned and additional agency guidance on a jointly maintained website at zerotrust.cyber.gov.