Federal Zero Trust Policy Implementation
One of the principal authors of the January 2022 policy to shift the U.S. government toward zero trust shares his insights.
Issued back in late January, the M-22-09 memorandum from the Office of Management and Budget (OMB), entitled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles and issued by OMB acting director Shalanda Young, required federal agencies to meet specific cybersecurity standards and objectives by the end of fiscal year 2024. Eric Mill, a senior advisor to Federal Chief Information Officer Clare Martorana, who helped draft the federal zero-trust architecture (ZTA) strategy, advised agencies to have a mix of “specific and very tangible” technical steps as well as some broader architectural changes.
“We also obviously did not invent these concepts,” Mill said. “We wanted to coalesce some of these concepts and really make clear some of the principles that they are based on and find some strategic areas that we really needed to pin down. Some things on the strategy side are higher level, like broader change management and leaving some flexibility to the agencies, where there are different skills, investments and places on that journey. And in other places, we wanted to get a little bit more specific than OMB usually does to try and make sure that some of the things we know are necessary are getting tended to in the midst of those broader change management conversations.”
Mill spoke Thursday in Rosslyn, Virginia, at the Billington CyberSecurity event, Cyber Priorities and the Federal Push to Zero Trust, with Matthew McFadden, vice president, cyber and distinguished technologist, General Dynamics Information Technology (GDIT), who wrote An Agency Guide to Zero Trust Maturity.
“As a systems integrator, we've been supporting a lot of zero trust journeys, and we are hoping to accelerate a lot of different agencies’ efforts. M-22-09 is a forcing function to start driving towards that journey,” McFadden said. GDIT also prepared a research report, surveying 300 personnel across the federal government about zero trust. “We did the survey right after M-22-09 was implemented and 75% surveyed said their agency had a formal zero trust policy. Half of the agencies did say that they are finding it hard to determine which technologies are needed.”
According to Mill, OMB sees the government’s pursuit of zero-trust architecture taking several years. “We understand it's maybe a multiyear journey and every agency is different,” he acknowledged. OMB, however, wants each agency to set out to accomplish certain steps from start to finish and examine the implications of the cybersecurity measures.
“With encryption [for example], what we really wanted to do is try to articulate that if you're taking seriously the concept of not having implicit trust in your network, that means you should be encrypting things in transit as if they were over the Internet,” Mill explained. And if we're going to talk about relying less on the network perimeter and allow broad network lateral motion then that has implications for where you perform your primary authentication. [We are] really challenging some of the concepts that the federal agencies and other enterprises in the private sector have premised [their operations] on.”
OMB also specified that all the agencies .gov domains be encrypted, whether it is an internal use domain or an external use domain. “Agencies have many of these internal websites that hang on the same domain name that they use for their public ones,” Mill warned. “What it means for them to say, ‘OK, it's a fully encrypted zone,’ means that they really have to take care of their internal house and put them in order. And if an agency is struggling to do that over the next few years, then we can actually see that from the outside and talk about what is causing them to struggle and us being comfortable putting down technical enforcement on this.”
Mill's advice to agencies on some of the broader change management areas that may take several years to handle is for them to begin to tackle problems “to get things to done.”
“Look at the places in your agency where you can make some of this transformational change over a few years and get it all the way done,” he said. “It's much better to get some big chunk of the parts of your agency that you care about and get it to completion, than in three or four years to only have gotten 10% accomplished across your gigantic organization. There's a big focus on enterprise-wide change and that's a huge component of this, but at the same time that can't cause paralysis.”
“Measured progress,” added McFadden.
In addition, OMB’s policy has a significant focus on multifactor authentication to eliminate phishing cyber breaches. Mill understands that to accomplish this, agencies will have to make unfamiliar change.
“We're trying to take phishing off the table as an inexpensive way to get a foothold in a federal agency,” Mill advised. “That means we need to be using methods of authentication that can do that and impose an order of magnitude higher in costs on [adversaries]. But that meant taking some options from policy perspective off the table, things that people are used to doing in their enterprise, whether it's text messages or push notifications. We are really pushing away from that pretty hard. People are routinely disappointed to learn that those things can't hold up against the way the phishing attacks are performed today.”