Adam Bannister Jan 28, 2022 15:38 UTC
Updated: January 28, 2022 16:37 UTC
Federal agencies have more than two years to fundamentally revamp cyber defenses
Infosec professionals responded favorably to the US government’s plan to move to a “zero trust” cybersecurity model.
The U.S. Office of Management and Budget (OMB) released a strategy on Wednesday (January 26) to implement a federal government-wide shift from perimeter-based defense to a zero-trust architecture.
This instruct (PDF) FY 2024 End Date Set for Federal Agencies to Achieve Various Strategic Goals Aligned with the Five Pillars of the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity.
What is Zero Trust?
Although there is considerable disagreement over the precise definition, zero trust can be broadly described as not trusting a user or device by default, even if it has been previously authenticated and located within the confines of a nominal company.
As such, the model prescribes continuous validation of users, files, endpoints, networks, operating system processes, etc. across all risk surfaces.
The latest government data breaches and cybersecurity news
Lord Bob, CSOs of the Democratic National Committee During 2017-2021, tweet His endorsement of the White House strategy: “Even if you don’t work with the U.S. federal government, I encourage you to read it,” adding that “every organization[anization] Their 2022 roadmap should be compared to this roadmap and appropriate adjustments considered.”
Lord, inherited two as Yahoo CSO biggest data breach ever, is marked as a notable directive for provisions for “anti-phishing authentication” such as security keys. The memo notes that multi-factor authentication (MFA) is generally not immune to phishing attacks, for example, users can be “tricked into providing a one-time code.”
Equally important, Lord went on to say, are the order to drop conventional password rotation and password policies that require special characters, as well as instructions for migrating DNS to Secure DNS, a more secure and encrypted network protocol.
The directive also requires “agency by September 2022 to welcome external vulnerability reports for their internet-accessible systems and to build reporting channels that provide system owners direct, real-time access to incoming vulnerability reports.”
Catalog assets
Greg Fitzgerald, co-founder of Sevco Security, signed the directive requiring agencies to maintain a complete list of all equipment authorized for federal use.
“Every network lost or abandoned undiscovered IT assets,” he said. “No one catalogs assets they don’t know about, and no one tinkers with assets they don’t catalog. A true zero-trust approach won’t be possible until organizations can account for all assets, including forgotten ones. .”
Meanwhile, Cloudflare CTO John Engates said the directive “shows that the federal government is taking cybersecurity threats seriously and is pursuing a strategy that will better protect the nation’s cyber infrastructure.”
A first draft of the strategy was released in September 2021 to give data privacy and cybersecurity experts an opportunity to provide feedback.
“It was important for us to work with top experts in government, industry and academia and build consensus around the highest value starting point for a defensible Zero Trust architecture,” said Chris DeRusha, Federal Chief Information Security Officer and Deputy Director of National Cyber, at White House Press release. “This strategy will serve as the foundation for a paradigm shift in federal cybersecurity and provide a model for others to follow.”
The memo follows another recent White House directive aimed at raising information security standards for national security-related systems, and a series of cybersecurity-related announcements from the White House since President Biden took office in January 2021.
related White House orders federal agencies to raise cybersecurity standards for national security systems
