White House Releases Zero Trust Strategy for Federal Government
The White House has unveiled its strategy to embed a zero trust approach to cybersecurity across the federal government.
The memorandum, published by the Office of Management and Budget (OMB), sets out a series of specific security goals for agencies to establish a ‘never trusted, always verified’ model. This includes introducing stronger enterprise identity and access controls, such as multi-factor authentication (MFA). It also wants federal agencies to have a complete inventory of every device it operates and authorizes for government use and encrypt all DNS requests and HTTP traffic within their environment.
The strategy represents a key component of delivering President Joe Biden’s Executive Order last year, which mandated a drive to secure cloud services and zero trust across federal government departments and their suppliers.
Federal agencies must incorporate the additional requirements identified in the new memorandum into their plans to develop zero trust architecture within 60 days. In addition, they need to designate and identify a zero trust strategy implementation lead for their organization.
The latest requirements were developed in response to increasingly sophisticated cyber-attacks, including the Log4j vulnerability. The OMB said such incidents have demonstrated that the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.
Federal chief information officer Clare Martorana commented: “Security is the cornerstone of our efforts to build exceptional digital experiences for the American public.
“Federal agency CIOs and IT leadership are leaning into this challenge, and the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”
Responding to the memorandum, Vats Srivatsan COO of ColorTokens, pondered whether the UK will take a similar approach to mandating zero trust principles across the government. “This week the United States took a proactive step towards safeguarding the nation with resilient security. Government-wide zero trust mission completion will be a journey, and the path has been laid out in a set of goals and implementation efforts outlined in the OMB’s strategy. This undoubtedly sets a precedent for other countries and is a well laid-out model of implementation that the UK can and should borrow from.
“Zero trust is widely recognized as a highly effective, long-term approach to breach resilience; however, zero trust architecture can’t be achieved overnight. The sooner any institution embarks on a zero trust journey to modernize its cyber-defenses, the sooner zero trust maturity and breach resilience can be achieved. Boris Johnson is known to keep his eye on modern technology, so it is a surprise that the UK appears to be kicking the zero trust can down the road. That being said, the UK frequently follows suit on US policy, oftentimes with some initial hesitation. If the UK plans to stay ahead of the threat environment, it will certainly want to follow the US’s lead.”
Earlier this week, the UK government announced a new cybersecurity strategy designed to protect essential public sector services from being shut down by hostile actors.
More Stories
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google...
Friday Squid Blogging: Sunscreen from Squid Pigments
They’re better for the environment. Blog moderation policy. Read More
Compromising the Secure Boot Process
This isn’t good: On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than...
Synnovis Restores Systems After Cyber-Attack, But Blood Shortages Remain
Synnovis has rebuilt “substantial parts” of its systems following the Qilin ransomware attack on June 3, enabling the restoration of...
Hacktivists Claim Leak of CrowdStrike Threat Intelligence
CrowdStrike has acknowledged the claims by the USDoD hacktivist group, which has provided a link to download the alleged threat...
CrowdStrike Falcon Outage Exploited for Social Engineering
Cyber threat actors are exploiting the CrowdStrike Falcon outage to conduct social engineering attacks. Here's what the CIS CTI team...