In an official press release, the White House said the US government cannot rely on “conventional perimeter-based defenses to protect critical systems and data” any longer. Furthermore, it said the log4j vulnerability was an example of how adversaries try to compromise the federal government.
What Is a Zero Trust Strategy Model?
On Wednesday, January 26, the Office of Management and Budget (OMB) released a strategy that aims to move federal government agencies toward a zero-trust approach to cybersecurity. The core principle of this model is zero trust for any actor, system, network, or elements, functioning within/outside a security perimeter. Anything and everything that attempts to establish access must be verified before granting access to classified information. This is drastically different from the previous ideals and philosophy of federal government network security. The idea behind the strategy is for agencies to rapidly detect, isolate, and respond to cybersecurity threats. It also provides a series of security goals tailored to specific agencies. It also states that federal agencies must meet their specific zero-trust goals by the end of the financial year 2024.
Details of the Zero Trust Federal Agency Cybersecurity Strategy
The OMB’s strategy prioritizes stronger enterprise identity and access controls which includes multi-factor authentication. Additionally, the move away from trusted networks will require federal agencies to adapt to new technologies and practices. “Without secure, enterprise-managed identity systems, adversaries can take over user accounts and gain a foothold in an agency to steal data or launch attacks,” the strategy states. “This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied,” it adds.
Statements from the Heads of OMB and CISA
Acting OMB Director Shalanda Young said it is crucial for the United States to strengthen its cyber defenses in face of rapidly growing cyber-attacks. Young also said the strategy is a key milestone in the government’s efforts to protect the US from adversaries. Jen Easterly, Director of CISA said federal agencies must “continue to fundamentally transform our approach to federal cybersecurity.” “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity,” Easterly added. Federal government agencies will have 30 days to appoint a strategy implementation lead. They must also submit an implementation plan to the OMB in the next 60 days.