The White House Office of Management and Budget on Wednesday released a new strategy setting new standards for federal departments and agencies to move to a zero-trust architecture to secure their networks, information systems and data.
A zero-trust architecture will also help with rapid detection and isolation of cyber threats, OMB said.
The new strategy, outlined in a 29-page memorandum from Shalanda Young, the acting director of OMB, was directed by President Biden last May in an executive order requiring the federal government adopt a zero-trust architecture. Agencies have until the end of fiscal year 2024 to meet specific security goals.
The memo cites the Defense Department’s Zero Trust Reference Architecture, which says “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.”
The security goals are based on a zero-trust model developed by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and have five areas of effort, including identity, devices, networks, applications and workloads, and data. Agencies have 30 days to identify a lead individual to implement their respective zero-trust architectures.
In each of the areas of effort, the strategy outlines a vision and the specific actions necessary to achieve a more defensible cyber architecture.
For example, under the identity effort, identities are managed at the enterprise level to access work applications. The strategy also requires the use of multi-factor authentication (MFA) at the application layer. Phishing resistant MFA is required for federal workers and contractors and is an option for public users of public-facing systems.
Biden administration cybersecurity officials have been hammering the need for MFA as a common best practice that should be adopted across the private and public sectors. MFA could be requiring a password and a biometric identifier to access a network or application.
For devices, the strategy requires that agencies inventory everything used for official business using CISA’s Continuous Diagnostics and Mitigation program, which has tools provided by the private sector to create awareness of enterprise assets. It also requires the use of endpoint detection and response (EDR) tools that meet CISA’s requirements.
If an agency doesn’t have the required EDR tools, CISA will work with them to acquire them.
“This zero-trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm,” OMB’s Young said in statement.