The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) both published key draft guidance documents today that provide the next set of road maps for Federal civilian agencies to transition to zero trust security concepts over the next three years and to guide agencies to securely migrate to cloud services.
The Federal government’s transition to zero trust concepts – and its push for agencies to further adopt cloud services – are centerpieces of the Biden administration’s Cybersecurity Executive Order released in May. The drafts published today by OMB and CISA offer lengthy and detailed marching orders for Federal agencies to make progress on both aspects of the executive order.
Key Near-Term Dates
OMB is seeking public comment on its Federal Zero Trust Strategy Draft by September 21, with comments directed to: zerotrust@omb.eop.gov.
In addition to seeking public comment, OMB is giving Federal civilian agencies 60 days to build the new guidance into their existing zero trust implementation plans. The new mandate also includes submitting to OMB an implementation plan for fiscal year (FY) 2022 through FY2024, a budget estimate for FY2022-2023, and work to reprioritize funding for FY2022 “to achieve priority goals or seek funding from alternative sources, such as agency working capital funds or the Technology Modernization Fund.”
On top of those requirements, the OMB draft requires Federal civilian agencies and departments to report back within 30 days with a designated zero trust architecture implementation lead for their organizations. “OMB will rely on these designated leads for government-wide coordination and for engagement on planning and implementation efforts within each organization,” the agency said.
For its part, CISA is asking for public comment through October 1 on the two drafts it issued today. The first is CISA’s draft Zero Trust Maturity Model, and the second is the agency’s Cloud Security Technical Reference Architecture. Comments should be directed to: tic@cisa.dhs.gov.
OMB Draft Federal Strategy
OMB’s draft Federal strategy provides a highly detailed framework for Federal civilian agencies to adopt zero trust security principles, with a stated goal of accelerating agencies “towards a shared baseline of early zero trust maturity.”
The OMB draft sets forth five major zero trust transition goals for Federal agencies to hit by the end of FY2024:
- Identity: Agency staff use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant MFA protects that personnel from sophisticated online attacks;
- Devices: The Federal government has a complete inventory of every device it operates and authorizes for government use, and can detect and respond to incidents on those devices;
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment and begin segmenting networks around their applications, and the Federal Government identifies a workable path to encrypting email in transit;
- Applications: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous testing and welcome external vulnerability reports; and
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.
The OMB draft places further emphasis on automating security actions, and enabling “safe and robust use of cloud services.”
The draft strategy acknowledges that the shift to zero trust principles won’t happen overnight. OMB said it expects that “moving to a zero trust architecture will be a multi-year journey for agencies, and the Federal government will learn and adjust as new technologies and practices emerge.”
At its highest level, OMB said the draft strategy recognizes that the Federal government faces “increasingly sophisticated and persistent cyber threat campaigns that target its technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government.”
The move toward zero trust security principles – and away from traditional perimeter-based network defenses – “will require a major paradigm shift in how Federal agencies approach cybersecurity,” OMB said.
Quoting existing Department of Defense policy on zero trust security, OMB said, “the foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
“This strategy does not attempt to describe or prescribe a fully mature zero trust implementation,” OMB emphasized.
“The purpose of this strategy is to put all Federal agencies on a common roadmap by laying out the initial steps agencies must take to enable their journey toward a highly mature zero trust architecture,” OMB said. “This recognizes that each agency is currently at a different state of maturity, and ensures flexibility and agility for implementing required actions over a defined time horizon. The strategy also seeks to achieve efficiencies for common needs by calling for government-wide shared services, where relevant.”
“Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government,” OMB said. “But as President Biden stated in [the cybersecurity executive order], ‘Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.’”
“While the concepts behind zero trust architectures are not new, the implications of shifting away from ‘trusted networks’ are new to most enterprises, including many Federal agencies,” OMB said. “This will be a journey for the Federal Government, and there will be learning and adjustments along the way as agencies and policies adapt to new practices and technologies.”
OMB added that agencies further along the zero trust path will need to partner with those who have made less progress, and that agency finance and acquisition officers will need to cooperate in the effort to build sustainable operational models.
The agency also emphasized the importance of cloud service adoption in the zero trust effort.
“This strategy encourages agencies to make use of the rich security features present in cloud infrastructure while ensuring that agency systems are appropriately designed to support secure use of cloud systems,” OMB said. “This strategy frequently references cloud services, as agencies are broadly expected to continue increasing their use of cloud infrastructure and associated security services. However, the actions in this strategy also address on-premise and hybrid systems.”
CISA Maturity Model, Cloud Security Reference Architecture Drafts
The two drafts issued by CISA today drive at the same broad goals for Federal civilian agencies in the administration’s cybersecurity executive order – move to the cloud, and move to zero trust security principles.
The draft Cloud Security Technical Reference Architecture (TRA) is “designed to guide agencies’ secure migration to the cloud by explaining considerations for shared services, cloud migration, and cloud security posture management,” CISA said.
The TRA, the agency said, was developed in partnership with the United States Digital Service and the General Services Administration’s FedRAMP program. CISA said it wants to “collect critical feedback from agencies, industry, and academia to ensure the guidance fully addresses considerations for secure cloud migration.”
Additionally, the agency’s draft Zero Trust Maturity Model aims to assist “agencies in the development of their zero trust strategies and implementation plans, and presents ways in which various CISA services can support zero trust solutions across agencies.” CISA said today that it drafted the maturity model in June to help agencies comply with requirements of the cybersecurity executive order, and is “excited” to give the document a wider release for public comment.
Based on comments it receives, CISA said it plans to produce new versions of both documents.
Eric Goldstein, Executive Assistant Director at CISA, said in a blog post today that “the forecast has long called for agencies’ transition to cloud services, and a new guidance [TRA] document just allowed for a smooth and secure migration process. The Cloud Security TRA can help agencies at all points in the cloud migration process; agencies still using on-premises systems will be better prepared to migrate securely and effectively to the cloud, while agencies currently migrating to the cloud can reference the TRA to ensure they’re on the right course.”
“Designed using an iterative approach, agencies can continue to reference the TRA into the future as cloud security technologies and practices continue to evolve,” Goldstein added. “Most importantly, the TRA can help decrease cyber breaches across the federal network. The use of modern security tools, appropriate cloud configurations, and cloud security best practices will strengthen the government’s defenses and reduce the amount of resources spent on incident response and recovery.”
Commenting on the maturity model draft, Goldstein said the document is “one of many roadmaps for agencies to reference as they transition towards a zero trust architecture.”
“The maturity model, which includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust,” he said. “Within each pillar, the maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero trust architecture. It also presents ways in which various CISA services can support zero trust solutions across agencies. The framework within the CISA Zero Trust Maturity Model allows agencies to ensure they are progressing towards a comprehensive zero trust architecture.”
What Federal IT Officials Are Saying
The top ranks of the Federal IT policy and management enterprise emphasized the importance of moving forward on the executive order’s zero trust and cloud adoption mandates in published comments today.
“Never trust, always verify,” counseled Federal CIO Clare Martorana. “With today’s zero trust announcement, we are clearly driving home the message to federal agencies that they should not automatically trust anything inside or outside of their perimeters. They must verify anything and everything trying to connect to their systems before granting access. This is an expectation in a modern technology environment and we look forward to this public comment process to make our strategy even stronger.”
“The federal government’s approach to cybersecurity must rapidly evolve to keep pace with our adversaries, and moving toward zero trust principles is the road we need to travel to get there,” Federal CISO Chris DeRusha said. “Today we’re releasing a draft federal zero trust strategy that will help agencies put these principles into practice. While we feel the urgency to begin implementing this plan, we know that input from the broader community of experts will help ensure it is the right plan. We welcome feedback on how we can refine this strategy to best advance federal cybersecurity.”
“The Zero Trust Maturity Model is one of the many ways CISA is helping federal agencies protect their systems, and we are excited to release this model to gain further insights from the public,” CISA Director Jen Easterly, who noted the work of the U.S. Digital Service and the FedRAMP program in crafting the TRA, said. “Through our strong partnerships and ongoing collaborative efforts, CISA will develop new and innovative ways to secure constantly changing network perimeters to enable critical federal IT modernization,” she said.
“Our adversaries are constantly adapting, and so must we,” National Cyber Director Chris Inglis commented. “Zero trust principles are at the core of how our federal agencies must evolve to meet today’s cybersecurity demands. Our draft federal zero trust strategy will push agencies in the right direction and help make a more coherent federal cybersecurity posture. We welcome comment from the public on how we can make our strategy as strong and effective as it can be.
“Rapidly improving the cybersecurity of federal networks and leading by example in implementing innovative, effective technologies are core to the Biden Administration’s cybersecurity strategy,” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology, added. “Today, we see the President’s Executive Order on Cybersecurity in action and welcome partnership with the private sector to work collaboratively towards modernizing our cyber defenses.”
