The Office of Management and Budget (OMB) zero-trust cybersecurity strategy, released at the beginning of 2022, requires Federal agencies to adopt a zero-trust security framework by the end of fiscal year 2024. September 2024 is the deadline for federal agencies to implement some level of zero-trust architecture and demonstrate they have made a fundamental shift in their approach to cybersecurity. That deadline is fast approaching.
What does zero trust mean for federal agencies, partners, and suppliers? Instead of relying on a perimeter-based security model, where trust is granted to users and devices inside the network, organizations must adopt a “never trust, always verify” approach to securing our nation’s most sensitive networks.
The goal: to reduce their attack surface, prevent unauthorized access and lateral movement within the network, detect and respond to threats more quickly, and ultimately, better protect the highly sensitive data and resources that federal agencies manage. The transition moves security closer to applications, data, and other resources to enhance defense in depth.
Why Zero Trust? Why Now?
Not by coincidence, the OMB’s timeline occurs in sync with other massive ongoing changes in the enterprise: digitization of the workforce and migration to cloud. The FedRAMP marketplace has been instrumental in transitioning the government sector to the cloud. Technology is now at the point where agencies can hit some important zero-trust goals over the next few years, although industry collaboration and partnerships are critical for zero-trust adoption across the federal government.
Moving the nation toward zero-trust cybersecurity is part of a government-wide plan to modernize the federal government’s approach to security, as mandated in the 2021 Executive Order 14028.
Many of the actions in the OMB directive are predicated on existing cybersecurity efforts, including Identity and Access Management (IAM), Privileged Access Management (PAM), and Continuous Diagnostics and Mitigation (CDM). Some of the key elements are already in place, including the CDM program, Homeland Security Presidential Directive-12 (HSPD-12), and data encryption and domain name system protections. However, there are no specific deadlines for each area.
Pain Points in Shifting to a Zero-Trust Model
Adapting to zero trust won’t be easy, and getting ahead of it by addressing the key pain points will make all the difference. Here’s the top line on what’s involved:
- A comprehensive evaluation and overhaul of existing security practices
- Investing in new technologies and solutions
- Retrofitting or replacing legacy systems that don’t adapt
- Retraining staff
Before the Fiscal End Of 2024
Familiarize yourself with Homeland Security Presidential Directive-12 (HSPD-12). Have the data encryption and domain name system protections down cold.
Read NIST Special Publication 800-53 to learn where zero trust fits into the bigger historical picture and why it falls under annual FISMA assessments and evaluations.
Read the Cybersecurity and Infrastructure Agency (CISA) Zero Trust Maturity Model (ZTMM) to understand the government’s overall approach to achieve continued modernization efforts related to zero trust within a rapidly evolving threat environment and technology landscape. The ZTMM is one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with Executive Order (EO)14028.
Change your thinking and assume a new cybersecurity posture. Service changes will be par for the course, and CISA has already started to change how it provides cyber services to agencies to emphasize the concept of zero trust.
Importantly, encryption and decryption should happen at the device level, and all information stored should only be accessible by the end user. IT administrators should have total control over employee password practices across the organization, implement least-privilege, role-based access controls, and enforce the use of strong passwords and Multi-Factor Authentication (MFA).
Focus on Making the Biggest Impact Over Next Three Years
According to Chris DeRusha, Federal Chief Information Security Officer at OMB, each agency will have a different approach to fulfilling the plan, with emphasis on the key pillars that provide the highest return, for example, IAM. Inspector generals are going to assess and evaluate federal agencies for zero trust as part of their annual FISMA report. So, zero-trust initiatives need to kick in now, and, as DeRusha said, agencies must focus on initiatives that provide the highest measurable returns.
What can enterprises do now to attain zero trust before the fiscal end of 2024 and benchmark progress over the next three years? Agencies should focus on security measures that will make the biggest impact in the shortest amount of time. This is best approached by focusing on the five pillars that provide the foundation for the CISA ZTMM.
Five Pillars of the CISA Zero Trust Maturity Model
- Identity
At the most basic maturity level, federal agencies will be expected to implement controls such as authenticating users with MFA and determining identity risk using manual methods and static rules to support visibility. Optimally, agencies will enforce phishing-resistant MFA and automated, enterprise-wide identity policies and continuous validation of all users and entities, across all systems. - Device
Federal agencies must not only secure all agency-owned devices but also, in cases where employees are authorized to BYOD (bring your own device), manage the risks of those personal devices and prevent unauthorized devices from accessing agency resources. At the most basic maturity level, this includes measures such as maintaining an asset inventory, having a preliminary, basic software approval process, and automatically pushing updates and configuration changes to devices. Optimally, agencies are expected to fully automate policy compliance and processes such as provisioning, registering, monitoring, isolating, remediating, and deprovisioning of all devices and virtual assets. - Network/Environment
Initially, agencies are expected to take measures such as isolating critical workloads, enforcing least-privilege network access, encrypting all internal traffic and ensuring scalability. At the optimal maturity level for this pillar, agencies will have implemented a network environment built using infrastructure-as-code, which allows advanced controls such as micro-segmentation and enterprise-wide network policies. - Applications and Workloads
This pillar revolves around delivering secure applications with granular access controls and integrated threat protections to enhance situational awareness and mitigate application-specific threats. At its most basic level, this includes measures such as static and dynamic software testing with at least some automated policy enforcement during the software development process. Agencies at the optimal maturity level for this pillar will have integrated application security testing throughout the software development lifecycle, including routine automated testing of deployed applications. Additionally, application access will be automatically and continuously validated, including real-time risk analytics and factors such as behavior or usage patterns. - Data
The data pillar is all about protecting data at rest and in transit, as well as properly categorizing and labeling data and keeping accurate data inventories. At the lowest maturity level, this includes measures such as implementing a data categorization strategy, deploying automated, least-privilege data access as well as encrypting all data in transit and, wherever possible, data at rest. Agencies at the optimal maturity level will have automated data categorization and labeling enterprise-wide, employed comprehensive data loss prevention (DLP) strategies, and automated data lifecycles and security policies.
Steps to Prepare Now
- Protect Passwords and Credentials – Protect data and systems with a FedRAMP solution that is quick to deploy, easy to use, supports strong MFA, and can securely store, share, and manage passwords across the entire organization.
- Simplify Secure Remote Access – Securely manage your remote connections from anywhere without having to rely on a VPN.
- Streamline Compliance and Audits – Provide on-demand visibility of access permissions to your organization’s credentials and secrets.
- Deploy a PAM Solution – Tightly monitor access and activity in privileged accounts while also maintaining regulatory and industry compliance requirements. PAM also prevents privileged users from misusing their access, which reduces cyber risks. If a cybercriminal is able to gain access to an organization’s networks, PAM platforms can minimize the blast radius by preventing lateral movement.
The good news: the shift does not have to be everything, everywhere, all at once. Moving toward a zero-trust strategy has been years in the making at the federal level. It has yet to be fully implemented because the technology and culture were slow to adapt. Now, with cloud migrations complete and hybrid models as a standard operating procedure, the technology environment is more conducive to the change in mindset and systems that the new zero-trust model necessitates.
- Countdown to Zero Trust - April 6, 2024