Members of the public have through Sept. 21, 2021, to weigh in on a set of proposed policies from the Office of Management and Budget (OMB). The policies are intended to progress federal civilian agencies toward a stronger minimum level of security, informed by zero-trust principles.
The Federal Zero Trust Strategy follows up on Biden’s May executive order and calls for agencies to shift thinking so that they no longer assume that any networks or tools are — or will remain — secure.
“While the concepts behind zero trust architectures are not new, the implications of shifting away from ‘trusted networks’ are new to most enterprises, including many federal agencies,” the draft states.
OMB’s plan requires agencies to meet certain zero-trust milestones by the end of fiscal year 2024.
These would see agencies require staff to verify their identities before accessing applications, using single sign-on methods bolstered by strong multifactor authentication (MFA) methods.
Under the plan, organizations also would have to encrypt all domain name system (DNS) requests and HTTP traffic within their environments. By the end of fiscal year 2024, individual agencies would need to be making progress on segmenting networks while the federal government would be working toward encrypting emails in transit.
Agencies also would need to ensure they are aware of all the devices used to handle government work, so that they are prepared to catch and react to any incidents involving the devices. Plus, they’d need to determine what sensitive data they hold, then adopt defenses informed by that knowledge.
Further steps call for organizations to regularly test their security and set up ways for quickly receiving alerts from outside groups about any discovered vulnerabilities.
Organizations would not be facing these tasks without help. The OMB calls for agencies with strong cyber postures to assist those without and points to various ways the Cybersecurity and Infrastructure Security Agency (CISA) can provide tools and knowledge to help meet these goals. Agencies are also asked to provide plans by early November outlining how they will achieve these zero-trust goals and request fiscal year 2023-24 budgeting to support those steps.
SECURE AUTHENTICATION
Zero trust calls for continually confirming users’ identities, with users logging in to each different application they wish to access.
OMB advises agencies to let staff, contractors and partners use a single username and password to authenticate themselves across various services — a method known as single sign-on. This is intended to reduce the number of accounts agencies must manage, which then makes it easier to oversee them and to revoke users’ access as needed, the strategy draft states.
But SSO doesn’t mean light security, and internal users would have to verify themselves using multiple methods. OMB noted that phishing scammers can thwart some MFA options, such as by tricking victims into handing over one-time use codes. Agencies would therefore have to rely on other verification methods as part of their MFA procedures, such as using the federal Personal Identity Verification (PIV) standard.
The OMB proposal also calls for organizations to update their understanding of what makes a good password — for example, requiring passwords to be a certain length but abandoning demands that they include special characters. Agencies also would need to use services to check whether new users are attempting to create accounts with passwords that already have been breached.
The proposals attempt to give a baseline of protection, and agencies can layer on additional authentication requirements as users attempt to access more sensitive programs or data.
ACCOUNTING FOR DEVICES AND DATA
Organizations need to know where their weak points are, and so the strategy document calls for identifying and continually monitoring all the devices used as part of their operations.
Agencies also need to ensure they are protecting all sensitive data they have, whether it’s stored in data sets or held less informally, such as in emails. Organizations also may not be used to considering how they are defending “intermediate datasets which exist principle to support the maintenance of other primary datasets,” the strategy states.
The OMB recognizes this as tricky work, and its proposal calls for a new joint committee charged with developing a guide and providing assistance to agencies attempting to improve data categorization and protection.
MONITORING
OMB noted that machine learning tools could help agencies identify sensitive data and monitoring for suspicious activity, but also admitted that the complexity of such technology is a hang-up. Specialists would need to be on hand to verify that the tools are running smoothly.
The OMB therefore proposed that organizations that do not yet have such expertise rely for now on simple automations. Agencies should start slow, using the tools to handle limited tasks and instructing security teams in keeping a close eye on how well these automations perform.
Agencies must assume that, at some point, something will go wrong. The OMB proposal advises agencies to regularly have third parties assess their security and to make it easy for personnel in charge of their systems to quickly receive warnings from security researchers. CISA offers a platform intended to facilitate this vulnerability reporting.
Public comment on the OMB report can be submitted to zerotrust@omb.eop.gov.
CISA also accompanied OMB’s announcement with one of its own: the public release of its Zero Trust Maturity Model, which is intended to support OMB’s proposal. CISA’s Zero Trust Maturity Model document previously was circulated to an agency-only audience in June 2021, but is now open to public viewing and feedback.