White House releases final zero-trust strategy for federal government
The White House on Wednesday issued finalized plans for its strategy to move the federal government to a “zero-trust” cybersecurity strategy by 2024.
The plan, laid out by the Office of Management and Budget (OMB), is an update to a draft issued last September — the new version includes changes requested by cybersecurity professionals, non-profit organizations, and private industry, the agency said. The finalized strategy includes a strong emphasis on enterprise access controls, including multi-factor authentication, and encrypting all DNS and HTTP traffic.
The document makes clear that a transition to a zero-trust architecture will take time to implement, especially given the complexity of government networks and systems. The concept of zero-trust—which at its core assumes that devices on a network should never be trusted—has been circulating among industry consultants and cybersecurity firms for years. But it has increasingly received attention among federal cybersecurity officials after attacks such as the SolarWinds breach and Microsoft Exchange hack put a focus on hackers who have already broken through perimeter defenses.
“Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government,” the finalized plan says.
Today, we released a Federal cybersecurity strategy to move the U.S. Government toward a “zero trust” architecture — a critical step forward in delivering on @POTUS’s cybersecurity Executive Order. https://t.co/mhrEqxAFR6
— Office of Management and Budget (@OMBPress) January 26, 2022
Agencies will have nearly two years to implement zero-trust requirements, and the strategy sets deadlines for certain action items. The plan requires agencies to designate a zero-trust strategy implementation lead for their organization within 30 days. Within 60 days, agencies must build upon zero-trust implementation plans that they were required to prepare following the Cybersecurity Executive Order issued by President Biden last May.
Advocates of a zero-trust approach say that it could help prevent a future SolarWinds-like attack, in which hackers essentially gain access to a target’s network by first compromising a cog in the organization’s supply chain. The model involves setting up internal controls that constantly verify whether users should be able to do what they’re trying to do.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said National Cyber Director Christopher Inglis. “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”
The finalized strategy from OMB can be found below:
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.