White House Releases a Draft Zero Trust Strategy for Improved Federal Cybersecurity

Published: September 15, 2021

Federal Market AnalysisCybersecurityCISAOMBPolicy and Legislation

OMB wants comments on its strategy for moving federal agencies toward a Zero Trust Architecture (ZTA), which includes multiple agency action items.

The Office of Management and Budget (OMB) has released a Draft Federal Strategy for Moving the U.S. Government Towards a Zero Trust Architecture (ZTA) and is accepting public comment on the strategy through September 21.

OMB and other White House cybersecurity leadership are working with the Cybersecurity and Infrastructure Security Agency (CISA) and other relevant programs, such as the Federal Risk and Authorization Management Program (FedRAMP), to help civilian agencies adapt their enterprise security architectures to be based on zero trust principles. The new strategy is one of the latest developments resulting from the White House’s May Executive Order (EO) on improving federal cybersecurity.

Moving Agencies to Zero Trust by FY 2025

To achieve specific zero trust security goals by the end of fiscal year (FY) 2024, the memorandum directs agencies to take specific actions under five areas of CISA’s the zero trust maturity model. Required agency actions under each area include (emphasis added):

  1. Identity: Use of single sign-on (SSO) services integrated into applications and common platforms, including cloud services; enforced multi-factor authentication (MFA) at the application level, including phishing-resistant MFA; and update secure password policies and use of services to check passwords against known-weak and known-breached data.
  2. Devices: Formal participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program and use of endpoint detection and response (EDR) tools on agency devices.
  3. Networks: Use of encrypted Domain Name System (DNS) capabilities to resolve DNS queries wherever it is technically supported; enforced Hypertext Transfer Protocol Secure (HTTPS) for all web and application program interface (API) traffic; and develop a network segmentation plan around applications. CISA and FedRAMP will evaluate Mail Transfer Agent Strict Transport Security (MTA-STS) as a viable government-wide solution for encrypted email.
  4. Applications: Operate dedicated application security testing programs, using high-quality firms specializing in application security for independent third-party evaluation; maintain an effective public vulnerability disclosure program; make at least one internal-facing FISMA Moderate application accessible over the public internet using enterprise SSO; and provide to CISA and GSA any non-.gov hostnames they use.
  5. Data: Perform initial automation of data categorization and security responses, focusing on tagging and managing access to sensitive documents; audit access to data encrypted at rest in commercial cloud infrastructure; and implement comprehensive logging and information-sharing capabilities, per OMB Memorandum M-21-31. OMB will work with Federal chief data officers and chief information security officers to develop a zero trust data security strategy and associated community of practice.

Agencies are not left on their own to meet these cybersecurity objectives. CISA will work with agencies by providing support and available tools, including CISA’s Protective DNS program, their vulnerability disclosure platform, and CDM program support. The memo also encourages agencies to take advantage of various industry-provided tools and capabilities. Depending on their current cybersecurity maturity some agencies will likely need architecture and governance support services as well.

For their part, the Department of Defense (DoD) and the intelligence community have been working on ZTA for the last several years. The National Security Agency (NSA) issued Guidance on a Zero Trust Security Model in February and the Defense Information Systems Agency (DISA) publicly released version 1.0 of its Zero Trust reference architecture in May.

As federal cybersecurity governance continues to evolve, there will be continued opportunity for industry input, partnership and support. In addition to the above government-wide ZTA strategy, CISA is taking comments on their draft Zero Trust Maturity Model through Friday, October 1, 2021.