OMB Puts Federal Agencies on the Path to Zero Trust Cybersecurity by the End of Fiscal 2024

The Office of Management and Budget (OMB) recently released a memorandum to federal agencies, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. The latest directive from OMB builds upon provisions in the White House’s May 2021 Cybersecurity Executive Order 14028 which gave agencies 60 days to develop their plans for implementing zero trust architectures (ZTA).

Immediate Actions and Future Budget Planning

OMB’s newest memo gives agencies 30 days to name an agency lead for zero trust strategy implementation and government-wide planning and coordination. OMB also gives agencies 60 days to perform some additional specific actions (see below) and to submit to OMB and the Cybersecurity and Infrastructure Security Agency (CISA) an implementation plan for fiscal years (FY) 2022-2024 and a budget estimate for FY 2024.

To achieve ZT priority goals in FY 2022 and FY 2023, agencies were told to internally source funding or seek alternative sources, such as agency working capital funds (WCF) or the Technology Modernization Fund (TMF).

OMB’s Zero Trust Goals for Agencies

OMB’s ZT goals are organized using the same structure as the Cybersecurity and Infrastructure Security Agency (CISA) zero trust maturity model released last September, with five complementary areas of effort (pillars) – Identity, Devices, Networks, Applications and Workloads, and Data – and with three cross-cutting themes – Visibility and Analytics, Automation and Orchestration, and Governance.

Agencies have 60 days to take the following actions under each area (emphasis added):

1. Identity: Agencies must employ centralized, integrated identity management systems; strong, phishing-resistant multi-factor authentication (MFA) at the application layer; Passwords policies that do not require use of special characters or regular rotation; and information access authorization processes that consider both device-level signals alongside identity information.
2. Devices: Agencies must create reliable asset inventories of their devices, users, and systems, using CISA’s Continuous Diagnostics and Mitigation (CDM) program. Agencies must also work with CISA to effectively deploy Endpoint Detection and Response (EDR) tools to ensure they meet CISA’s technical requirements and the establish information-sharing capabilities described in OMB’s October 2021 memo on Endpoint Detection and Response (M-22-01).
3. Networks: Agencies must use encrypted Domain Name System (DNS) capabilities to resolve DNS queries wherever it is technically supported, including CISA’s Protective DNS program. Agencies must enforce Hypertext Transfer Protocol Secure (HTTPS) for all web and application program interface (API) traffic and “preload” their .gov domains into web browsers as only accessible over HTTPS. Agencies must also develop a zero trust architecture (ZTA) plan that describes the agency’s approach to environmental isolation as part of their overall ZT implementation plan. CISA will work with FedRAMP to evaluate the viability of current open standards for government-wide encrypted email solutions.
4. Applications and Workloads: Agencies must operate dedicated application security testing programs; use high-quality firms specializing in application security for independent third-party evaluation; maintain an effective public vulnerability disclosure program; make at least one internal-facing FISMA Moderate application newly accessible over the public internet without relying on a virtual private network (VPN) or other network tunnel; and work toward employing immutable workloads when deploying services, especially in cloud-based infrastructure. To aide discovery of agency internet-accessible applications, agencies must provide to CISA and GSA any non-.gov hostnames they use. In return, CISA will provide agencies with data about their online applications and other assets from CISA’s IT infrastructure scanning efforts.
5. Data: Agencies must implement initial automation of data categorization and security responses, focusing on tagging and managing access to sensitive documents; audit access to data encrypted at rest in commercial cloud infrastructure; work with CISA to implement comprehensive logging and information-sharing capabilities, per OMB’s August 2021 memo on improving investigative and remediation capabilities (M-21-31). OMB will work with federal chief data officers and chief information security officers to create a joint committee to develop a zero trust data security guide for agencies.

Throughout the memo, OMB expounds upon each pillar and action item mentioned above to provide agencies with deeper guidance on the way forward. OMB also provides guidance on how agencies should interpret other OMB memoranda whose requirements relate to the new zero trust goals, including the transition to Internet Protocol Version 6 (IPv6); Personal Identity Verification (PIV) and non-PIV authenticators; alternatives to network inspection; and HTTPS for internal connections.

OMB said that they and CISA will work with agencies throughout their zero trust implementations to capture best practices, lessons learned, and additional agency guidance and post this information to zerotrust.cyber.gov.

_____

Get our assessment of the federal cybersecurity market in our report, Federal Information Security Market, 2021-2023.