White House wants US govt to use a Zero Trust security model

White House wants US govt to use a Zero Trust security model

A newly released Federal strategy wants the US government to adopt a “zero trust” security model within the next two years to defend against current threats and boost cybersecurity defenses across federal agencies.

The strategy was released today by the White House’s Office of Management and Budget (OMB), which supervises the implementation of the President’s vision across the US Executive Branch.

Today’s announcement follows the release of an initial strategy draft in September 2021, which was prompted by the President’s Executive Order (EO) 14028.

The executive order initiated a government-wide effort to migrate toward zero trust and modernize the nation’s defenses against cyberattacks.

“This memorandum sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns,” said Shalanda D. Young, OMB’s Acting Director. (PDF)

“Those campaigns target Federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in Government.”

Key elements of the new zero trust strategy include improved phishing defense through strong multifactor authentication, consolidation of agency identity systems, encrypting traffic and treating internal networks as untrusted, and strengthening application security to protect data better.

OMB’s new federal zero trust strategy foresees a Federal Government where:

  • Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
  • The devices that Federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
  • Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
  • Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
  • Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information

The government migration to zero trust security principles comes after cybersecurity companies pushed the zero-trust network model for years.

This continuous push for modern security principles culminated with the NSA and Microsoft recommending this security approach in February 2021 for large enterprises and critical networks (National Security Systems, Department of Defense, Defense Industrial Base).

Zero trust is a security approach where local devices and connections are never trusted and verification is needed at every step because defenders assume that intruders already have access to the network.

This security model was created by Forrester Research’s John Kindervag in 2010, with Google implementing some of its concepts in 2009 in an internal project (now known as BeyondCorp) after some of its intellectual property was stolen during Operation Aurora.

“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” Young added.

“This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”