The Biden Administration released a new cybersecurity strategy for federal agencies that will move the government toward a “zero trust” security model.
The nearly 30-page plan lays out dozens of measure federal agencies need to take in the next two years to secure systems and limit the risk of security incidents. The government is still recovering from the SolarWinds scandal, which saw Russian hackers spend months inside government systems at multiple US agencies.
Government agencies have until the end of fiscal year 2024 to put in place many of the measures described in the plan, which include more stringent network segmentation, multi-factor authentication and widespread encryption. Departments are given 60 days or 120 days to appoint leads for the implementation of the measures and for efforts to classify certain information based on sensitivity.
The White House said the growing threat of sophisticated cyberattacks “underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.”
“The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm that will help protect our nation. These goals are directly aligned with and support existing zero trust models,” the White House explained.
The move is part of a larger effort to secure the country’s systems that began last year with an executive order and other measures. In September, the White House released a first draft of the strategy and today said they got additional insights from cybersecurity experts, companies and non-profits.
The White House noted that the recent Log4j vulnerability is “the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.”
CISA Director Jen Easterly said zero trust is a key element of their effort to modernize and strengthen the government’s defenses.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” Easterly said. “CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
A number of organizations came out in support of the move, noting that the federal government has needed to update its security posture and do more to lock down certain systems.
Phil Venables, CISO at Google Cloud, said they have long advocated for the adoption of modern security approaches like zero trust and would support the federal government “as it embarks upon its zero trust journey.”
Tim Erlin, VP of strategy at Tripwire, called the memorandum a substantial step forward for cybersecurity across the US government but noted that it is “unfortunate” that it doesn’t provide a clearer role for what NIST identifies as one of the key tenets for zero Ttust: integrity monitoring.
“Documents from both CISA and NIST include integrity monitoring as a key component of zero trust, but the OMB memorandum doesn’t include similar treatment. This memorandum includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology,” Erlin said.
“EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response. The cybersecurity technology landscape moves quickly, and there’s a real risk that agencies will find themselves required to implement and run a superseded capability.”