Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

US OMB: Zero Trust Strategy for Federal Agencies Released

February 1, 2022

DataBreachToday reported on January 26 that the U.S. Office of Management and Budget has released a federal strategy to move the U.S. government toward zero trust architectures.

The strategy focuses on “phishing-resistant” multifactor authentication, asset inventories, traffic encryption and a lot more. It is a big step toward implementation of President Biden’s May 2021 executive order on cybersecurity.

The memorandum eliminates rotating passwords with special characters in one year’s time, and it stresses the importance of encryption around DNS requests and HTTP traffic. OMB also plans to move from application authentication via virtual private networks and the use of unsecure dot-gov intranets, moving to stronger authentication at the app layer.

“This zero trust strategy is about ensuring the federal government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the U.S. harm,” says acting OMB Director Shalanda Young in a statement.

The President’s cybersecurity executive order initiated a governmentwide effort to instill security best practices, utilize the benefits of cloud infrastructure and migrate to zero trust – the “never trust, always verify” security concept that does away with trust by default, including for previously verified devices.

The strategy adheres to five key pillars outlined and defined by the Cybersecurity and Infrastructure Security Agency and gives agencies until the end of fiscal year 2024 to achieve specific zero trust goals.

It calls for the following actions:

Identity: Agency staff will utilize phishing-resistant MFA to protect enterprise-managed personnel from “sophisticated online attacks.”

Devices: Federal agencies will inventory all devices they operate and authorize for government use.

Networks: Agencies will encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.

Applications and Workloads: Agencies will treat all applications as internet-connected and routinely subject to “rigorous empirical testing” and will “welcome external vulnerability reports.”

Data: Agencies will ensure they are on a “clear, shared path to deploy protections that make use of thorough data categorization.” Also, agencies will leverage cloud security services to monitor sensitive data and implement enterprise-wide logging and information sharing.

The strategy requires the following:

Update Plans: Within 60 days, agencies will be required to build upon plans first outlined by Executive Order 14028, incorporating all additional requirements, and submit them to OMB and CISA.

FY22 to FY24: Specific plan updates include an implementation approach for 2022 to 2024, along with a budget estimate.

Funding: OMB advises agencies to internally source funding or seek funding from sources such as the Technology Modernization Fund.

Implementation Lead: Agencies will have 30 days to designate and identify a zero trust strategy implementation lead, who will be relied upon for “coordination and planning” efforts.

Collaboration: OMB and CISA will work with agencies through the implementation phase to “capture best practices, lessons learned, and additional agency guidance on a jointly maintained website at zerotrust.cyber.gov.

“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” says CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”

John Kindervag, who created the zero trust model while working as an industry analyst for Forrester, tells ISMG that OMB’s zero trust strategy “is a significant milestone” in a “decade-long journey to bring zero trust to the cybersecurity mainstream.” He calls the document a “powerful endorsement of zero trust’s value to cybersecurity.”

Note the implementation deadline of 2024. Lawyers need to realize that the “standard of care” to reasonably protect confidential data is changing rapidly – law firms will soon need to learn about – and implement – a zero trust strategy to comply with their ethical duties.  Planning for a zero trust strategy should begin now with gradual implementation over the next two years.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson