Federal agencies face new zero-trust cybersecurity requirements

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them “strategic and technical guidance documents meant to move the US government towards a zero-trust architecture.”

Federal strategy seeks shared baseline of early zero-trust maturity

The first document is a draft Federal Zero Trust Strategy to move civilian agencies toward a shared early zero-trust maturity baseline. It relies on a zero-trust maturity model articulated by CISA in June that rests on five pillars:

• Identity premised on agency-wide use of “phishing-resistant” multi-factor authentication
• Devices tracked in an inventory of all devices operated and authorized for government use to better detect and respond to any incidents
• Networks segmented around applications and encrypted DNS requests and HTTPS traffic
• Applications subject to rigorous testing, with all applications automatically assumed to be internet-connected
• Data on a clear shared path to deploy protections that make use of thorough data categorization. In addition, the model directs agencies to take advantage of cloud services and implement enterprise logging and information-sharing

Comments on the zero-trust strategy are due September 21. Agencies have until November 6 to draw up plans for FY22-24 for implementing this architecture. Agencies are also required to designate a zero-trust architecture implementation lead by October 7.

One fly in the ointment is that as of yet, no funding is available to achieve this “dramatic paradigm shift in philosophy of how to secure infrastructure, networks and data.” OMB says agencies should “re-prioritize” their FY22 budget to achieve the goals or find funding somewhere else. Government offices must also develop an FY23-24 budget to achieve their zero-trust priorities in that year.

Zero-trust maturity model is a conceptual roadmap

The second document is CISA’s Zero Trust Maturity Model itself. It “pushes agencies to adopt zero-trust cybersecurity principles and adjust their network architectures accordingly.” The Maturity Model is more of a conceptual roadmap to achieve an “optimal zero trust environment.” Public comments on the Zero Trust Maturity Model are due October 1.

Security technical reference architecture aims to ease cloud migration

The third document is the Cloud Security Technical Reference Architecture, which the administration considers an essential aspect of moving the government closer to zero-trust principles. It walks agencies through how they can migrate to the cloud securely.

Issued last month by CISA, in collaboration with the United States Digital Service (USDS) and FedRAMP, the reference architecture is a 46-page cloud migration guide designed to allow agencies to achieve that transition in a way that enables them to better identify, detect, protect, respond, and recover from cyber incidents. Comments on the architecture are due October 1. CISA will collaborate with USDS and FedRAMP to produce a subsequent version of the guidance following the comment period.

Lack of funding and technical debt pose challenges

These documents are “steps in the right direction,” Theresa Payton, CEO of Fortalice Solutions and former White House CIO in the George W. Bush administration, tells CSO. But the federal government faces challenges between the idea of zero trust and the practical reality where the rubber meets the road.

One of the first challenges is the lack of funds for agencies to implement zero trust adequately. “A lot of these executive orders are unfunded mandates. Typically, a bucket of cash doesn’t fall out of the sky. It’s up to the Office of Management and Budget to understand appropriations that have been allocated to encourage the departments and agencies to allocate previously appropriated funds to the executive order,” Payton says.

The biggest challenge for government agencies is coming up to speed on the relatively new and not immediately obtainable goal of zero trust. “One of my favorite movies is Monty Python and the Holy Grail. The quest for zero-trust architecture is the search for the holy grail. Unfortunately, the killer rabbit [that impedes the crusaders’ search for] the holy grail is the technical debt that most companies and government agencies face, along with skillset shortages.”

Payton offers multi-factor authentication, which underlies the identity pillar in CISA’s model, as an example. “A very basic tenet of zero trust requires multi-factor authentication,” she says. “Many private sector organizations and departments and agencies do not have multi-factor authentication in place. The idea that we’re going to sprint to get a plan in place, and then we’re going to sprint to zero-trust architecture when multi-factor authentication has been out for a decade” and has yet to be universally adopted, illustrates how slowly new security technology adoption occurs she says.

Retrofits will be incredibly hard to achieve

The EO’s zero-trust provisions “are all steps in the right direction, but in practice and execution, they’re incredibly hard to achieve,” Payton says. “It’s very likely that the systems that are already in place for many of the departments and agencies may not easily retrofit into a zero-trust architecture. So, I always say to people that the best way to think about zero trust is it’s actually no trust,” Payton says.

“It is continuous monitoring of every single live connection that you have and never trusting those live connections. For every connection, you have to have transparency, visibility, the ability to authenticate and continuously monitor. That is why zero-trust architecture in combatting cyber crimes and reducing an attack surface is so incredibly helpful, but it is also incredibly difficult to achieve.”

The private sector should also review the zero trust documents

Despite the tight deadlines, most interested parties, including private sector organizations, have known since May that these zero trust documents were coming. Commenters should be relatively well-positioned to respond, Payton says.

“I would highly encourage not just the departments and agencies, but anybody, any organization that’s in an industry vertical where a department or agency is your oversight or your regulator also to review these documents and release comments,” Payton says. “Typically [these kinds of requirements] will flow down from a department and agency to the private sector organizations that fall in that industry vertical.”