According to the final plan released by the White House on Wednesday, the federal government will move to a “zero-trust” cybersecurity strategy by 2024.

The plan was released by the Office of Management and Budget (OMB) and is an update of the OMB initial draft released in September 2021.  The initial draft requested additional public comment and, according to the White House statement, “received additional insights from cybersecurity professionals, non-profit organizations, and private industry that helped inform the final strategy.”

Today, we released a Federal cybersecurity strategy to move the U.S. Government toward a “zero trust” architecture — a critical step forward in delivering on @POTUS’s cybersecurity Executive Order. https://t.co/mhrEqxAFR6

— Office of Management and Budget (@OMBPress) January 26, 2022

“This strategy will serve as the foundation for a paradigm shift in Federal cybersecurity, and provide a model for others to follow.” – Federal Chief Information Security Officer Chris DeRusha

Timeline

As the final plan states:  “Transitioning to a zero-trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government.”  Following are some of the initial benchmarks itemized by the final plan:

• 30 days for agencies to select a zero-trust strategy implementation lead for their organization.
• 60 days for agencies to build upon the zero-trust implementation plans required by the May 2021 Cybersecurity Executive Order issued by President Biden.
• Two years for agencies to implement zero-trust requirements.

Running parallel to these benchmarks, the White House statement included plans for “a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of federal procurement to incentivize the market.”

The private sector implications of these incentives created by federal procurement activity were best captured by the Mimecast Threat Intelligence blog:

“By its nature, a public procurement initiative of this scope influences the marketplace, as federal contractors adjust to new requirements and bring their supply chains in line as well. But the Biden administration is looking to exert additional influence on the uptake of zero-trust architectures nationwide with measures ranging from public-private software development processes to a software labeling program, like the “energy star” label on appliances, to verify the security of software.  A pilot program would be launched for the labeling program…aimed not only [for] the government but also the public at large.”

Also, from the zero-trust strategy plan:

“Agencies that are further along in their zero trust process should partner with those still beginning by exchanging information, playbooks, and even staff. Agency Chief Financial Officers, Chief Acquisition Officers, senior agency officials for privacy, and others in agency leadership should work in partnership with their IT and security leadership to deploy and sustain zero trust capabilities.

It is critical that agency leadership and the entire “C-suite” be aligned and committed to overhauling an agency’s security architecture and operations. Agencies should make use of the rich security features present in cloud infrastructure. This strategy frequently references cloud services, but also addresses on-premise and hybrid systems.” (1)

Zero Trust Strategy Priorities

The final strategic plan emphasizes the following zero-trust architecture efforts.  From the document:

• Enterprise Access Controls, including Consolidating Agency Identity Systems and Combating Phishing Through Strong Multifactor Authentication  The Federal Government must improve its identity systems and access controls. Currently, many authorization models in the Federal Government focus on role-based access control (RBAC), which relies on static pre-defined roles that are assigned to users and determine their permissions within an organization. This strategy sets a new baseline for access controls across the government that prioritizes defense against sophisticated phishing and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied. Tightening access controls will require agencies to leverage data from different sources to make intelligent decisions, such as analyzing device and user information to assess the security posture of all activity on agency systems.
• Encrypting all DNS and HTTP traffic:  All traffic must be encrypted and authenticated as soon as practicable. This includes internal traffic, as made clear in EO 14028, which directs that all data must be encrypted while in transit. This strategy focuses agencies on two critical and widely used protocols in the near term, DNS and HTTP traffic;  in addition, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Risk and Authorization Management Program (FedRAMP) will evaluate options for encrypting email in transit.
• Internal Networks Now Considered Untrusted:  A key tenet of a zero-trust architecture is that no network is implicitly considered trusted—a principle that may be at odds with some agencies’ current approach to securing networks and associated systems.  While the concepts behind zero trust architectures are not new, the implications of shifting away from “trusted networks” are new to most enterprises, including many agencies. This process will be a journey for the Federal Government, and there will be learning and adjustments along the way as agencies adapt to new practices and technologies.  Agencies must develop a zero-trust architecture plan that describes how the agency plans to isolate its applications and environments, in consultation with CISA, and include it in the full implementation and investment plan required by this memorandum.
• Strengthening Application Security:  Federal applications cannot rely on network perimeter protections to guard against unauthorized access. Users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet. In the near term, every application should be treated as internet-accessible from a security perspective. As this approach is implemented, agencies will be expected to stop requiring application access be routed through specific networks, consistent with CISA’s zero-trust maturity model.  Approaching an application from a particular network must not be considered any less risky than approaching it from the public internet. Accomplishing this goal in an enterprise means progressively de-emphasizing network-level authentication by its users, and eventually removing it entirely. In mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks. (2)

Federal Cybersecurity Leadership is Onboard

“…agency leadership plays a key role in ensuring that agency CISOs have the support they need from their agencies’ financial and acquisition teams to execute this strategy.”

Zero trust is a key element to modernize and strengthen our nation’s defenses.

I applaud @OMBPress’ new Federal strategy to move towards Zero Trust: https://t.co/Fm6VEqeUCn https://t.co/dJ8xJeQZ0o

— Jen Easterly🛡️ (@CISAJen) January 26, 2022

“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”

“OMB’s Zero Trust Strategy is an important milestone in the President’s effort to modernize the federal government’s cyber security to meet current threats, as outlined in Executive Order 14028,” said Deputy National Security Advisor for Cyber Anne Neuberger. “As OMB Acting Director Young noted, agency leadership plays a key role in making this strategy real, ensuring that agency CISOs have the support they need from their agencies’ financial and acquisition teams to execute this strategy.”

“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said national Cyber Director Christopher Inglis. “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”

OODA Resources

OODA LLC has been strong a strong advocate for a zero-trust strategy and implementations.  For more perspective, see Bob Gourley’s The New Enterprise Architecture Is Zero Trust and Junaid Islam’s Zero Trust Will Yield Zero Results Without A Risk Analysis.  Bob and Junaid also have a fascinating OODAcast conversation at Junaid Islam on Zero Trust Architecture.   Recently, we also provided a use case analysis of Future Cybersecurity Architectures: DoD’s Zero Trust Pilot Program and Native Zero Trust Design.

Please contact us by using this form if you would like to explore with us the implications of this federal zero-trust strategy for your organization.

A direct link to the final strategic plan can be found at M-22-09 Federal Zero Trust Strategy (whitehouse.gov).

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast