CISA
Critical infrastructure
News
Zero Trust

White House rolls out zero trust strategy to bolster nation’s digital infrastructure

January 27, 2022
White House rolls out zero trust strategy to bolster nation’s digital infrastructure

The U.S. administration released on Wednesday a memorandum that directs agencies to the highest-value starting points on their path to a zero trust strategy that describes several shared services, which should be prioritized to support a long-term government-wide effort.

“This strategy is a starting point, not a comprehensive guide to a fully mature zero trust architecture,” the memorandum said. Through the Office of Management and Budget (OMB), the memorandum sets forth a federal zero trust architecture (ZTA) strategy that will work towards delivering on U.S. President Joe Biden’s Executive Order 14028, issued in May last year, which focuses on advancing security measures that reduce the risk of successful cyber attacks against the federal government’s digital infrastructure.

The OMB released in September an initial draft of the strategy for public comment and received additional insights from cybersecurity professionals, non-profit organizations, and private industry that helped inform the final strategy.

The federal strategy requires agencies to meet specific cybersecurity standards and objectives by the end of fiscal year 2024. These measures will help reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns, which have time and again targeted federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government.

The efforts are organized using the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA). The agency’s zero trust model describes five complementary areas of effort (pillars) that include identity, devices, networks, applications and workloads, and data. These tenets fall in line with three themes that cut across these areas – visibility and analytics, automation and orchestration, and governance.

“The growing threat of sophisticated cyber attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” according to a media statement issued by the U.S. White House. “The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door. The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats,” it added.

“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” said Shalanda Young, acting OMB director. “This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”

​​“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said Christopher Inglis, National Cyber Director. “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”

“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said Jen Easterly, CISA director. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”

The administration released a memorandum that “directs agencies to the highest-value starting points on their path to a zero trust architecture, and describes several shared services which should be prioritized to support a long-term Government-wide effort.” This strategy is a starting point, not a comprehensive guide to a fully mature zero trust architecture, it added. 

The EO 14028 required agencies to develop their own plans for implementing zero trust architecture. “Within 60 days of the date of this memorandum, agencies must build upon those plans by incorporating the additional requirements identified in this document and submitting to OMB and CISA an implementation plan for FY22-FY24 for OMB concurrence, and a budget 5 estimate for FY24,” according to the document. Agencies should internally source funding in FY22 and FY23 to achieve priority goals, or seek funding from alternative sources, such as working capital funds or the technology modernization fund, it added.

Agencies will have 30 days from the publication of this memorandum to designate and identify a zero trust strategy implementation lead for their organization, it added. “OMB will rely on these designated leads for Government-wide coordination and for engagement on planning and implementation efforts within each organization. OMB and CISA will work with agencies throughout zero trust implementations to capture best practices, lessons learned, and additional agency guidance on a jointly maintained website,” the memorandum added.  

In addition to focusing on the zero trust framework, the federal strategy also emphasized bolstering enterprise identity and access controls, including multi-factor authentication (MFA), according to the memorandum. It set out a new baseline for access controls across the board, as tightening access controls will require agencies to leverage data from different sources to make intelligent decisions. 

Further, federal applications cannot rely on network perimeter protections to guard against unauthorized access, the Memorandum said. “Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero trust maturity model,” it added.

The federal strategy also calls on federal data and cybersecurity teams within and across agencies to jointly develop pilot initiatives and government-wide guidance on categorizing data based on protection needs, building a foundation to automate security access rules, the Memorandum said. 

Zero Trust states that nothing is trusted – and certainly not based on the location in which it sits or from which it came – every single request for a resource must be properly authorized, and that applies whether a request is made by a human using a device or a device on its own, Joseph Steinberg, cybersecurity, privacy, and artificial intelligence (AI) advisor, wrote in his recent blog post. 

“Furthermore, authorization should only be granted if a party asking for access to the resource actually needs access to that resource for a legitimate purpose (AKA adopting a true need to know basis),” he added.

“The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment,” Lucas Budman, CEO of TruU, wrote in a written statement. “This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.”

“By focusing on tailored controls around sensitive data stores, applications, systems, and networks, the Zero Trust model shifts the focus away from varying types of authentication and access controls,” Anurag Gurtu, CPO at StrikeReady, wrote in a written statement. “The Zero Trust initiative should be supported by other key initiatives such as modernizing the security operations as well as uniting and empowering cyberdefenders. Without one of these, an organization’s security will be shaky at best,” he added.

Ahead of the announcement of the zero trust strategy, the Defense Information Systems Agency (DISA) said on Tuesday that it has awarded a US$6.8 million contract to Booz Allen Hamilton for a Thunderdome zero trust prototype. The Thunderdome will streamline the endpoint security solution set at the Department of Defense (DOD), enhance security posture as investments in cloud technologies continue, and implement new security capabilities. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems