Government gets serious: deadlines for Zero Trust Architectures

Since the 1990s, the federal government has been issuing guidelines and recommendations for security via their 800-Series Special Publications. While some of those guidelines became mandates, things have largely inched forward, instead of making any dramatic leaps. OMB’s new memorandum M-22-09, “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles,” is changing this pattern, and setting deadlines for implementation across the government.

Specifically, the memo calls out the end of FY24 - an extremely short time frame in government circles - for multiple actions across the CISA-defined five pillars of a Zero Trust Architecture. One of the most important actions is for agencies to move to a centralized, enterprise-wide identity management system, with a deadline of just a year from now for removing purely password-based access in favor of two-factor authentication (2FA). Moving to a model that centers on attribute-based access control (ABAC) and role-based access control (RBAC) will necessarily require a great deal of work for agencies that still operate on the “castle defense” model, where simply being able to VPN into a given network implies trust and gives users the keys to the kingdom. It will also, however, bring those agencies in line with more modern security practices, which have been enabled by microsegmentation architectures that rely on user and asset identity, as well as other application-specific factors, in order to make a trust decision.  

Coming against the budget backdrop of another continuing resolution, and a Congress that is more likely to be infighting than passing any budget increases in the near future, the task of implementing these new architectures is monumental at best. Where should those leaders invest their limited time and budgets in support of this new initiative?

The lesson learned from private industry is clear: successfully implementing microsegmented, identity-centric architectures starts with complete visibility into the network you’re attempting to secure. The memo M-22-09 telegraphs this as another key requirement: a reliable asset inventory plan, through CISA’s Continuous Diagnostic and Monitoring program (CDM). Obvious as that may sound, many organizations have run into a great deal of operational pain as they implemented new controls, simply because they did not understand what users and services were actually present on their network. With a proper baseline, fed by tools monitoring actual traffic flows instead of documented processes, agencies can ensure that they account for all of the valid use cases - while simultaneously weeding out legacy or unauthorized activity.

We can expect that 2022 will be an active year for OMB memorandums, providing direction and actions to the federal government to move at an elevated pace towards Zero Trust implementations. But as we know, this will be a multi-year effort to get the agencies to make significant investments in modernizing their IT systems to withstand increasingly complex cyber attacks. Even if it takes a decade, at least the federal government is all moving to a common strategy.

By Jean Schaffer, Corelight Federal CTO