It's official. On January 26, the US Office of Management and Budget (OMB) laid out its Federal Zero Trust Strategy in a finalized version of the memorandum that's been making the rounds in draft form for a couple of months now. The document formalizes OMB expectations for zero-trust architecture at all federal agencies, with deadlines set to meet a spate cybersecurity objectives by the end of 2024.
The question is, how ready are the agencies to make good on these expectations?
According to a survey also released last week, technology and security leaders tasked with the monumental push are hopeful about their agency's ability to implement zero trust — but they believe that the OMB is pushing them to move too fast with its set of deadlines.
Understanding the OMB Zero-Trust Deadlines
The sweeping measures demanded by OMB are driven by the cybersecurity executive order issued by the president in May and shaped by the Zero Trust Maturity Model publicly released by the Cybersecurity and Infrastructure Security Agency (CISA) in September. Based on that model, OMB has grouped its objectives around five core pillars of cybersecurity, namely identity, devices, networks, applications and workloads, and data. A quick round-up of the OMB expectations for agencies by the end of 2024 are as follows:
- Employ centralized identity management that's integrated into apps and common platforms
- Use phishing-resistant MFA across the enterprise that’s enforced at the network layer
- Require at least one device-level signal for user authorization
- Create reliable asset inventories through CISA's Continuous Diagnostics and Mitigation program
- Widely deploy and use endpoint detection and response (EDR) that meets CISA's technical requirements
- Use encrypted DNS wherever technically supported
- Enforce HTTPS for all Web and API traffic
- Develop a zero-trust architecture plan in consultation with CISA that describes the agency's approach to segmentation
Applications and Workloads
- Operate dedicated application security (appsec) testing programs
- Engage with vetted appsec firms for third-party independent appsec evaluation
- Run a public vulnerability disclosure program for Internet-accessible systems
- Move toward using immutable workloads, especially for cloud-based infrastructure
- Automate data categorization, focusing on tagging and managing access to sensitive documents
- Implement comprehensive logging and information sharing
- Audit and monitor access to encrypted data stored in commercial cloud infrastructure
In order to ensure agencies are on track for meeting these deadlines, OMB has some more immediate cutoff dates that agency leaders have to meet in the next few months.
Within 30 days of the memo, all agencies are required to designate to the OMB a zero-trust strategy implementation lead for their organization. These will be the people who will be coordinating with OMB, CISA, and other government agencies in the run-up to 2024. And within 60 days of the memo, agencies have got to be ready to submit to the OMB an implementation plan and budget planning for the next two years for meeting the zero-trust strategy requirements.
Uncertainty About the Aggressive Timeline
Even with the head start given to agencies with the executive order and CISA models release last year, many within the federal space think the timeline may be overly optimistic and could even potentially do more harm than good. A study released by MeriTalk last week shows positive signs that agency technologists are grateful for the cybersecurity and modernization push that's driving this latest memo. Conducted among 151 federal cybersecurity decision-makers, 92% say recent initiatives have increased their confidence in their agency's ability to implement zero trust. And 73% of them say that their agency is already aggressively adopting zero-trust principles.
However, 87% believe that the OMB is pushing agencies to move too fast for zero-trust implementation. Only about one in ten say they have the support they need right now to achieve optimal zero-trust maturity.
"The results shouldn't be a surprise," says Stuart Itkin, vice president of CMMC & FedRAMP Assurance at cybersecurity consulting firm Coalfire. "Date-driven government initiatives haven't typically fared well."
The survey showed that approximately three in four respondents reported it would be challenging to very challenging for their agency to reach optimal maturity in each of the five pillars, with the highest levels of uncertainty around device security.
Keatron Evans, principal security researcher for Infosec Institute and a consultant for KM Cyber Security, agrees that the OMB's timeline is "very aggressive."
"In some regards there are some unrealistic expectations. Some of the requirements may even make security worse in some areas," he says, going on to explain that most agencies are barely at the starting gate of their zero-trust journey. "Earnestly, I estimate that less than 10% are ready to start. Most of them don't have the technical expertise or the appropriate budgets. I get the sense that some of the deadlines laid out failed to consider the actual quantitative costs involved."