The final zero trust strategy released by the Office of Management and Budget on Jan. 26 is more than just yet another attempt by yet another administration to address long-standing cybersecurity challenges.
It’s more than just 19 requirements agencies must begin working on today and over the next two years. OMB set a deadline for agencies by the end of fiscal 2024 to implement specific goals related to creating a zero trust architecture.
And it’s more than the latest buzz word to grab headlines, conference agendas and talking points.
The zero trust strategy is a starting line, the culmination of a vision started more than a decade ago by federal executives waiting for the technology and culture to catch up, and it’s a roadmap that is both prescriptive enough and patient enough to give agencies a North Star to strive for over the next three years.
“This final product we’ve got is such a great example of the public-private partnership, everybody working together to create a clear roadmap that any organization can follow. It doesn’t just need to be federal government,” said Chris DeRusha, the federal chief information security officer, in an exclusive interview with Federal News Network. “We think that’s an exciting opportunity for us to lead. Our goals here are to define what does zero trust mean for the federal government and make sure that we’re creating a clear plan of action for agencies to follow over the next three years. We’ve got some consistent starting points now for all of those agencies and what we will be able to do because of that is fund and measure progress, and then we will be able to even benchmark that progress across the enterprise and see how we’re doing across the board.”
Many of the 19 actions the strategy lays out builds on existing cybersecurity efforts like the continuous diagnostics and mitigation (CDM) program, Homeland Security Presidential Directive-12 (HSPD-12), data encryption and domain name system protections.
DeRusha said this is why the strategy isn’t giving agencies specific deadlines for each area under the maturity model, developed by the Cybersecurity and Infrastructure Security Agency.
“Each agency is going to have somewhat of a different ordering to fulfilling the whole plan. Now, that said, I do believe we are going to emphasize certain pillars and certain sections of the plan over others. For example, identity. I think we all know for the zero trust journey, you’ve got to have a strong core identity. We’re pushing on multi-factor authentication (MFA), something we’ve been doing for years, but we’re doubling down and we’re putting the appropriate emphasis on it,” he said. “We’re really focusing on those security measures that are going to give us the highest return. When you look at things like MFA, it’s just toward the top of the list and stopping bad actors from achieving their goals. I know it’s something that we’ve been talking about for a while, but there’s a reason that it’s been given air time, the prioritization at the center of the executive order from last year and zero trust strategy. We’ve work on it for a very long time, so you could, we are working the last mile.”
Agencies must name senior leader
Reaction to the strategy from industry has been, as expected, positive.
“OMB went much further than anticipated. The September draft was good but it lacked some substance and what I thought was consumable ways to get things done. They have clearly come out to say some of the things industry has been saying for some time and get away from the concept of creating a hard perimeter,” said Stephen Kovac, the chief compliance officer for Zscaler and the vice chairman of the Alliance for Digital Innovation (ADI), an industry association. “I believe this policy is a permission slip for agencies to move away from having to protect the hard perimeter, but they need help with it. They have 60 days to come up with a plan. I think we will see use cases or templates come out that will pave the way for some of the agencies to move toward zero trust.”
DeRusha said those initial plans and naming the senior leader in charge of the zero trust plan is something OMB will be paying close attention to over the next few months.
“We did not intentionally say each one of those needs to be completed by ‘X’ date. We’re asking them to take a clear assessment of where they have maturity, where they have a plan and where they’ve got a gap,” he said. “Then let’s focus now and in 2022 on all the things that they can do and should do, and then make sure that they’re putting the plans in place that we can then properly fund for those things that they’re going to need to do next.”
DeRusha said OMB is focused on those short term security measures that will give agencies the highest return in the shortest amount of time. That is why identity is mentioned 40 times in the 29 page document.
A single identity management capability
That push from OMB on not just identity, but driving protections to the application layer is another key change in the final strategy. OMB released the draft strategy in September and asked for industry and agency feedback.
Matt McFadden, the vice president of cyber, the lead for the cyber center of excellence and zero trust accelerator initiative for GDIT, said the final strategy clarified OMB and CISA’s intentions and actions needed to achieve zero trust.
“There is lot more focus on centrally managed systems that are more integrated and more federated. That is important as you take a deep dive into protecting identities and devices,” McFadden said in an interview. “The goals drive more toward isolation and micro segmentation, which is one of the harder challenges of enterprise implementation. But they understand they have to have an enterprisewide identity system and be able to federate that across the environment. There is huge assessment piece not only focusing on current capabilities to extend to zero trust but identifying and mapping an agency’s attack surface. That way they can begin to prioritize how you drive forward lot of these actions.”
Kovac said OMB’s focus on protecting the application layer is major change to the traditional cybersecurity approaches.
“We’ve all heard them say get out of data centers, but it hasn’t happened at every agency. There are some progressive agencies like Education or Energy that have, but many haven’t. So to me, the strategy will push people’s limits to use the internet as method of access and zero trust will make it work,” he said. “By making the application accessible through the internet and not behind a hard perimeter, that will give agencies the true view of what zero trust means. Everything is accessible and there are ways to get to applications that doesn’t include coming back to the data center and there isn’t a need for big networks. I think TIC 3.0 laid the foundation for this and now zero trust provides the security.”
DeRusha and OMB continued to lean on CISA, the National Institute of Standards and Technology, the CIO Council and industry in developing this final strategy.
He said the final strategy frames the goals using language that should stand the test of time as technologies and cyber threats evolve.
“There were some things that we kind of backed off on standards, and they’re still being debated, and it’s not clear where the forward is. We may have pulled back in other areas, just gave more room for how to implement,” he said. “Our focus in the months and years ahead is really just working hand-in-hand with the agencies throughout this implementation process and making sure they have the right tools and support they need to meet the goals we set on the strategy. This is us coming together with a clear plan that we’re going to emphasize and we’re going to be very focused on that moving forward.”
Zero trust playbook in the works
DeRusha said CISA’s role will continue to grow through shared services like CDM and its vulnerability disclosure platform offering as well as its direct implementation support.
The support also will come from a new zero trust playbook from the CIO Council and the General Services Administration’s Office of Governmentwide Policy.
Tom Santucci, the director of the Data Center and Cloud Optimization Initiative program management office at GSA, said the goal of the playbook is not to replicate what already exists in the public and private sectors, but fill in the gaps in the knowledge base.
“We are working with the zero trust working group of the CIO Council so they are aware of all the documents being produced by others. We are trying to incorporate what we can from other entities and produce documents where there doesn’t seem to be any, particularly in the policy area,” he said.
GDIT’s McFadden said through the strategy, related playbooks and industry’s help, agencies should be begin their journey to mature across the five pillars of the zero trust maturity model.
“When you look at agencies that are such large enterprises with lot of component agencies, it’s hard to drive that strategy consistently. That is why they need to focus on assessments to assess current capabilities and current scope of assets as they are working to drive implementation plans,” he said. “By understanding where they are mature, and quite a few agencies are more mature on identity, they will see where they have gaps to meet specific actions or outcomes and then drive toward a higher level of maturity. I think there needs to be a lot of focus on assessments because they have to understand everything holistically before they can drive key actions of this strategy.”