The final version of the Office of Management and Budget’s zero trust security directive issued this week drew strong praise from private-sector providers of security technologies to Federal agencies for its hard deadlines and firm direction to agencies on how to begin digging into the task of migrating toward zero trust architectures.
The OMB order features not less than 19 deadlines for Federal agencies – and their security teammates at the Cybersecurity and Infrastructure Security Agency (CISA) and elsewhere through government – to get working on zero trust. The deadlines include shorter-term targets to deliver plans to CISA and OMB, longer-term horizons for funding issues, and a big Fiscal Year 2024 deadline to achieve a lengthy list of zero trust security goals.
“Zero trust adoption for Federal agencies will offer one of the best defenses against a constant increase in cyberattacks, which threaten critical infrastructure, data, and our way of life,” Dr. Matthew McFadden, Vice President, Cyber & Distinguished Technologist at General Dynamics Information Technology (GDIT), told MeriTalk.
“The OMB’s finalized zero trust strategy is the unified guidance agencies need to accelerate cybersecurity plans and partner with technology leaders to help them meet the 2024 deadline,” he continued.
“For some time, GDIT has been seeing a substantial demand for zero trust solutions that provide protection and resilience from cyberattacks and this executive order only reinforces that need. As a leading Federal systems integrator, we know how to apply innovative zero trust solutions to our customer’s biggest challenges,” McFadden said.
“While this week’s OMB final memorandum M-22-09 provides clear goals, guidance, and actions to take, agencies might be feeling trepidation due to a lack of resources and a well-developed plan to operationalize zero trust security,” said Miguel Sian, Senior Vice President of Technology at Merlin Cyber.
“This is where it is essential for agencies to collaborate with private industry, who can help them leverage Fed-ready cybersecurity solutions to accelerate zero trust maturity,” he said.
Raghu Nandakumara, Field CTO at Illumio, said the final OMB zero trust policy “hits on two core pillars that will help make zero trust a national cybersecurity reality, both of which were glaringly missing from last year’s initial EO: a firm deadline and a check stapled to the upper left hand corner.”
“As organizations across industries increasingly look to zero trust to bolster resilience, it’s essential to keep in mind that zero trust is not an overnight transformation – it’s a journey,” he said. “Although the 2024 deadline may seem far away, with how much goes into building a resilient and cyber-conscious agency and supply chain, it’s imperative that organizations – particularly agencies in the public sector – get started on embracing key zero trust pillars (least privilege, visibility everywhere, segmentation, building an accurate and up to date asset inventory, etc.) today.”
“There are incremental steps agencies can take to bolster their zero trust security posture right now (i.e., implementing multi-factor authentication, gaining visibility into your network communications, isolating large swaths of your environment from each other, etc.),” Nandakumara counseled. “As we develop and revise perfect plans, attackers will continue attacking our networks. While it’s important to work toward an exceptional zero trust strategy in the long run, it’s even more critical to make incremental progress today.”
“OMB’s final zero trust architecture strategy provides a roadmap for federal IT leaders to improve defenses against growing and persistent cyber threats,” said Matt Marsden, Vice President, Technical Account Management, Public Sector, at Tanium. “With increasingly complex cyber vulnerabilities, like the recent Log4j vulnerability, it is critical that agencies are strategic about securing and managing their endpoints.”
“Without endpoint visibility, devices at the tactical edge can remain critically exposed to threats,” he explained. “When your endpoints are secure, you can ensure that access is controlled, and your data is protected.”
“Zero trust is not only about validating user identities but also identifying non-person entities,” Marsden said. “Verifying endpoint devices and having accurate data on those devices are critical pieces of the equation. With high-fidelity data, agencies can apply the principles of least privilege to ensure that strategic assets are protected. When it comes to protecting sensitive data and maintaining mission-critical services, agencies need accurate endpoint data to fully understand and secure their environment.”