OMB Releases Zero Trust Strategy
This week, the Office of Management and Budget (OMB) released the ‘Federal strategy to move the U.S. Government toward a Zero Trust approach to cybersecurity.’ As part of the announcement, U.S. federal agencies have 30 days to select a point of contact to lead these efforts and 60 days to deliver a plan to identify how each agency will achieve set goals by the fiscal year 2024.
In short, the strategy and memo kick off the initial steps towards a significant digital transformation that requires top-down changes, from policies to tools, and will impact every employee that works with the federal government.
“Moving to a zero trust architecture involves changes to nearly every aspect of an enterprise’s security posture. As a result, this strategy necessarily touches on a large number of enterprise security practices, which can intersect with other existing OMB policies.”
For the private sector, this is another case study that validates the role Zero Trust will play in the future of the connected world, especially as network perimeters become even more blended.
The strategy builds upon the White House’s Executive Order on Improving the Nation’s Cybersecurity that was released in May 2021, and the Cybersecurity & Infrastructure Security Agency’s (CISA) existing Zero Trust maturity model and resources. The finalized strategy comes after an open comment period that was first introduced in September 2021 and was released as a memo titled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles on January 26, 2022.
OMB loosely defines Zero Trust with the following statement: “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.” This aligns with Twingate’s approach, which is that trust is not inherently given just because a device is connected to a particular network. Instead, granular access management and continuous authentication, down to the device level, are necessary to establish trust.
There are several common themes throughout OMB’s Zero Trust strategy, such as pushing agencies towards multifactor authentication (MFA) and not relying on SMS 2FA, moving towards identity-first networking Vs. IP-based authorization and monitoring, continual verification and authentication, and a push towards making applications accessible securely on the public internet.
One of the more relevant areas of OMB’s Zero Trust strategy is the push to make applications internet-accessible. Today, many organizations still rely on on-prem resources, which doesn’t align with the work from anywhere world we live in. While some organizations have looked towards virtual private networks (VPN) as a solution, they too were not designed for a hybrid or remote workforce. To truly move towards Zero Trust, OMB has tasked all agencies to make at least one application that is not currently accessible via the internet, accessible via the public internet within the next year by following a Zero Trust approach. Here is the specific request from OMB:
Making applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel, is a major shift for many agencies that will take significant effort to achieve. As with all large-scale IT modernization efforts, its chances of longterm success will be improved by beginning with an agile approach.
To catalyze this work and facilitate early identification of obstacles, each agency must select at least one FISMA Moderate system that requires authentication and is not currently internet-accessible. Then, within a year of the issuance of this memorandum, the agency must take the actions necessary to allow secure, full-featured operation of that system over the internet.
Accomplishing that task will require agencies to put in place minimum viable monitoring infrastructure, denial of service protections, and an enforced access-control policy. While implementing those elements, the agency should integrate this internet-facing system into an enterprise identity management system, as described in the Identity section above. Agencies will likely find it beneficial to gain confidence in their controls and processes by performing this shift first on a FISMA Low system before attempting to meet the requirement of doing so for a FISMA Moderate system
Through this approach, OMB is pushing agencies to adopt Identity and Access Management (IAM), Identity Provider (IdP), and Zero Trust Network Access (ZTNA) models in place of VPNs and other dated concepts.
If you’ve looked over or already begun implementing Zero Trust, OMB’s goals (below) for implementing Zero Trust by 2024 should look familiar. Their approach aligns with the core elements that build towards a successful foundation, starting with what we refer to as identity-first networking. Following that up with device-related security, OMB’s initiatives will help prevent vulnerable devices from accessing data and resources that would otherwise be granted in a standard architecture or those securing the perimeter via a VPN.
OMB’s Zero Trust adoption goals:
- Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.
As agencies move towards Zero Trust adoption, we’ll likely see a snowball effect where private organizations rely on these models to pursue the same. NIST, for example, offers several threat intel and threat response models which are now widely accepted, in collaboration with open standards that are currently being developed from the likes of Cloud Security Alliance, MITRE, and OASIS.