The Biden administration has issued a flurry of cybersecurity orders to federal agencies in the past year, and one component of those was a pledge to eventually move all government systems to a zero trust strategy. However, a clear path toward that has yet to be laid out, and some in these agencies remain confused about what the concept even means for them.
The administration has taken the first concrete step toward actually implementing the government-wide zero trust strategy with a memorandum addressed to all federal agencies, outlining the basic goals to be reached by the end of fiscal year 2024.
Among other items the memo calls for enterprise-managed accounts for all federal employees, “consistent” tracking and monitoring of all devices, isolation of agency systems, encryption of all traffic in motion between agencies, and rigorous testing of enterprise applications.
White House zero trust strategy begins to take shape
Originating from the Office of Budget and Management, the zero trust strategy memo lays out a roadmap for measures to be implemented over roughly the next two and a half years.
The security update campaign began in May 2021 with Executive Order 14028, “Improving the Nation’s Cybersecurity.” This and a series of follow-up orders addressed not just federal agencies, but also civilian federal contractors and private critical infrastructure companies. The complex and far-reaching campaign was prompted in no small part by the ransomware attacks on the likes of Colonial Pipeline, JBS and Kaseya.
What will the zero trust strategy mean for federal agencies? Speaking broadly, it means no more privileged access without re-authentication at every login point. Nothing currently outside the security perimeter is trusted unless it meets the authentication criteria, which will also be elevated from current standards.
To provide more concrete detail, the memo indicates that federal staff can expect to switch to “enterprise-managed” accounts going forward. A rough analogy would be collaboration platforms like Trello and Slack, where employees log in to a centralized “portal” of sorts that contain managed apps for their online activities. This particular move is more about security than project management, however, giving account managers greater ability to defend against things like phishing attacks that might penetrate one of these accounts. The wording also indicates that federal employee access may be more narrowly filtered only to systems and apps that are job-critical.
The memo also says that the devices federal staff use will be “consistently tracked and monitored” and that the security posture of those devices will be considered in decisions to grant them access to resources inside the security perimeter.
Other specific elements of the zero trust strategy include isolating agency systems, encrypting the traffic that flows between them, testing enterprise applications both internally and externally, and the development of new data categories and security rules used to automatically block unauthorized access to sensitive information.
Stronger access controls are also mentioned, though not much specific is laid out as an absolute requirement other than the implementation of multi-factor authentication (MFA) as a standard across federal agencies.
The memo notes that some federal agencies are presently farther along in implementing a zero trust strategy than others, and calls on those that are more advanced to collaborate with others to bring everyone up to speed. Though the project will run through at least through the end of September 2024, agencies are being called upon to lay out their own specific zero trust plans within the next 60 days and to appoint a lead within 30 days.
Federal agencies asked to move fast, make big changes
In addition to having coherent zero trust strategy plans in place within the next two months, CISA and GSA are tasked with creating a procurement structure for application security testing capabilities for all federal agencies to use that will require no more than a month to put into practice (and “a few days” in urgent emergency situations).
If there is one thing the federal government is famous for, it is the pace at which it tends to move; generally not one that is compatible with such a rapid deployment of complex technical measures. This has been an ongoing theme, with much more agile cyber criminals innovating and staying ahead of these slow responses. The move to a zero trust strategy tracks with general IT trends in the private sector, however, and it may take a “system shock” of this sort to prod federal agencies into an adequate cyber security posture.
However, as Raj Dodhiawala, President of Remediant, notes, unrealistic expectations about the government’s pace may not be the only issue with this plan: “While the order rightfully includes centralized management of identities, it fails to identify the Governance of Privilege and invalid privileged account access, which is the riskiest identity for both the public and private sectors … The executive order also elaborates on Phishing-resistant MFA for protection but not enough on how to reduce the attack surface due to privilege sprawl … OMB’s memorandum also distinguishes between authentication and authorization, but it does not go far enough to establish layered protection, which will prevent attackers from gaining any elevated privileges. This includes protecting admin authorization, and protecting organizations against the discovery of admin credentials, hashes or secrets from inside the network.”
Tim Erlin, VP of strategy at Tripwire, notes a couple of additional specific issues: “It’s unfortunate that this memorandum doesn’t provide a clearer role for what NIST identifies as one of the key tenets for Zero Trust: integrity monitoring. Documents from both CISA and NIST include integrity monitoring as a key component of Zero Trust, but the OMB memorandum doesn’t include similar treatment. Integrity monitoring is foundational to a successful Zero Trust Architecture … This memorandum (also) includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology. EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response (XDR). The cybersecurity technology landscape moves quickly, and there’s a real risk that agencies will find themselves required to implement and run a superseded capability.”
There is also the potential conflict of requiring federal employees to submit personal devices to these new requirements, should they need to connect them to government networks. As Lucas Budman, CEO of TruU, observes: “It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected. In any case, simultaneous device risk data and identity authentication allow customers to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.”