Today, the Office of Management and Budget (OMB) published the final version of its strategy that directs Federal agencies to migrate to zero trust security architectures.
At the same time, OMB gave agencies numerous short and long-term deadlines to focus their actions in meeting the policy’s directives.
The finalized directive builds on a draft version of the policy issued in September 2021 and put out for public comment. Getting the zero trust migration strategy moving on the Federal agency front – for what will be a years-long journey for most – is a key pillar in the Biden administration’s cybersecurity executive order issued last year.
In announcing the finalized policy, OMB emphasized the central tenet of zero trust security – getting rid of traditional perimeter-based defenses for networks and replacing them with security based on least-privilege access and constant re-evaluation of user identity and trust.
“It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verifying once at the perimeter to continual verification of each user, device, application, and transaction,” OMB said today in releasing the final policy.
“The growing threat of sophisticated cyberattacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” OMB said. “The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door. The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats.”
Deadlines for Agencies – Short Term
The OMB directive sets forth not less than 19 specific deadlines for agencies to get working on zero trust implementation and for Federal IT council officials to pitch in and help.
The OMB directive immediately sets forth two key short-term deadlines for Federal agencies.
The first, due in 30 days, is designating and identifying a zero trust strategy implementation lead for each agency. OMB said it will rely on the designated leads “for Government-wide coordination and for engagement on planning and implementation efforts within each organization.”
The second, due in 60 days, requires each agency to build on existing plans for zero trust implementation by incorporating requirements identified in the finalized OMB policy. Agencies then need to give those adjusted plans to OMB and CISA along with an implementation plan for Fiscal Years 2022-2024 and a budget estimate for FY2024.
“Agencies should internally source funding in FY22 and FY23 to achieve priority goals, or seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund,” OMB advised.
Further out, the OMB policy requires agencies to achieve a specific list of zero trust security goals by the end of FY2024. Those goals are organized around the zero trust maturity model developed by CISA – but not yet finalized by the agency – and focused on five pillars identified by CISA – identity, devices; networks; applications and workloads; and data.
OMB said its zero trust policy strategic goals align as follows with the five CISA pillars:
- Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use and can prevent, detect, and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data and have implemented enterprise-wide logging and information sharing.
Data Tagging Help on the Way
Another important deadline in the OMB directive falls under the area of data security, and specifically in developing a “comprehensive, accurate approach to categorizing and tagging data” – which OMB said it expects “will be challenging for most agencies.”
To help ensure engagement and progress on that challenge, the OMB directive sets a 90-day deadline for the Federal Chief Data Officer (CDO) Council and the Federal Chief Information Officers (CISO) Council to create a joint working group on zero trust data security for agencies.
“This working group will develop a data security guide for agencies that addresses how existing Federal information categorization schemes can support effective data categorization in a security context,” OMB said. Along with supporting the development of enterprise-specific data categories that are not addressed by existing Federal categories.
“While agencies have been required to inventory their datasets for some time, a comprehensive zero trust approach to data management requires going beyond what agencies may be accustomed to thinking of as ‘datasets,’” OMB said.
“Achieving this goal will not only require developing protections for the packaged datasets agencies store in databases or publish online, but also grappling with more loosely structured and dispersed data systems (such as email and document collaboration) and intermediate datasets that exist principally to support the maintenance of other primary datasets,” the agency said.