How agencies can address OMB’s new zero trust requirements

Recently, the Office of Management and Budget announced a draft zero trust strategy that builds on the President’s Executive Order for Improving the Nation’s Cybersecurity, which is the most comprehensive change to a national strategy for cybersecurity, outlining an approach towards modernization. The EO and this latest OMB memorandum equate to a massive shift in approach and forces federal agencies to modernize their cybersecurity. There are some key challenges and some great opportunities for agencies to make significant cybersecurity improvements faster than the traditional procurement and implementation process.

It’s all about identity!

The OMB memorandum provides mandatory minimum requirements for federal agencies to meet in an effort to move towards a zero trust approach.

What this means is that access to applications and data, generically lumped together as “resources,” will no longer be determined by authentication and access to a specific network or domain. VPN for remote access will no longer be ubiquitous access; either it will be removed completely or simply a first step to then dynamically gain access to specific applications. These applications will only be visible and accessible to authenticated and authorized users, and segmented from each other and the network. This process is already being forced as a natural change with the move to cloud resources, specifically SaaS applications that do not reside on any federal network.

Shifting from location based access-to-everything protected networks to per-application provisioning and dynamic access decisions does, however, present a new challenge for federal agencies. Already existing IaaS networks and SaaS applications are not part of the on-prem agency network or domain, making a centralized identity for access to all resources and single sign on (SSO) for all resources a challenge.

OMB’s zero trust memorandum specifically mandates this effort of SSO and central identity management, which, as mentioned above, will be a significant technological challenge depending on the technology stack an agency chooses to utilize. Some are possible but labor intensive with current technologies, while others require introducing new ICAM technologies that simplify and streamline the solution.

How can organizations build up internal expertise around zero trust architectures?

When it comes to zero trust, the first big “aha” moment was that it’s not about a specific tool per se, but more the overall methodology and approach. The next big “aha” for organizations is that they don’t necessarily need to buy tons of new products right away to modernize and improve their cybersecurity. What they do need is to re-examine how these tools are used, how they can work together and what policies and processes need to change.

The challenge for federal agencies isn’t completely rearchitecting their entire environment, but re-imagining their architecture.

What the entire cybersecurity industry needs is to bring all the pieces of the architecture together similarly to how the software-defined data cetner movement in infrastructure brought all the pieces together, which eventually led to the cloud revolution of SaaS and IaaS. What many have not completely understood is that zero trust, at its foundation, is built on that principle of an integrated and automated cybersecurity defense.

In order to make this shift, it’s not a wholesale product change. It requires a true architectural mind that can:

  • Assess what an agency currently has.
  • Determine how those pieces might be fit together like a puzzle.
  • Automate processes to ultimately grant access per the situational awareness of the security posture of the entire enterprise.

Unfortunately, these architectural minds don’t grow on trees and there aren’t many available on the open market!

Consultants and integrators who know and understand IT architectures, cybersecurity and specifically the zero trust philosophy will need to step into the fold. What federal agencies need in the long term is to grow internal zero trust architects from their current IT and cybersecurity staff. In order to accomplish this, agencies will need to bring in outside expertise (at least in the short term) to help establish a “crawl, walk, run” process.

Finding that expertise should focus on consultants that have a working methodology to move enterprises from static, stove-piped cybersecurity tools that log to a security information and event management (SIEM) tool to a dynamic integrated and automated zero trust architecture. These assisting organizations will start by assessing federal agencies’ current environments for viable components in various potential zero trust architecture use cases and workflows. Once there is a solid understanding of what is in the environment, the consultant will need to work closely with the federal agency to identify those potential use cases and workflows that can be mapped to the current available components.

The immediate goal should be to architect zero trust use cases and workflows that can be achieved for “a win” as quickly as possible.

How can agencies meet the 2024 deadline?

While the deadline for implementation of this zero trust strategy is 2024, in reality it’s only two budget cycles away. Government organizations are going to be in a bit of a scramble because it will take some time to get everything in order.

As federal agencies just received the OMB document in the middle of September, they are in the tail end of the process of building out a budget for FY 22. That proposed budget will be submitted to Congress for funding in Q1FY22, which begins in October. At this point, many agencies have already formulated their FY22 budget and won’t be able to make changes. This puts an even bigger crunch on these agencies, where they will need to put any unresolved action items into the budget cycle for FY23, which most likely wouldn’t be approved and funded until at the earliest next fall. This timeline is why the OMB memorandum calls for an implementation plan that includes a budget estimate for FY23-24.

The memorandum specifically directs agencies to re-prioritize funding from FY22 and more interestingly, directs agencies to utilize “working capital funds,” such as the Technology Modernization Fund (TMF). Additionally, it directs agencies to work harder to utilize the Department of Homeland Security’s continuous diagnostics and mitigation (CDM) program, even mandating that any agency that has not yet participated in the CDM program must now do so. Both of these programs have essentially become funding sources that do not have fiscal year boundaries and do not require congressional approval to be allocated.

In the short time since this OMB memorandum was released, I’ve already seen two instances where mandated actions that were in FY22 budgets were sent out for bid utilizing the TMF available funding. Some agencies are acting fast on this directive and have the opportunity to bring forward their cybersecurity goals that were previously months to a year out.

The end goal is worth it

As a whole, the OMB memorandum is a needed document that sets a baseline (for now) on what steps agencies must take to move toward a zero trust architecture. Unfortunately, it will also create a low bar that some agencies will check the box and move on due to budget pressures and other mandates they must also meet. This means that the administration, CISA and OMB will have to continue exerting pressure on agencies with newer guidance at some interval.

The most encouraging aspect of this document is the apparent acknowledgement of budget pressures of past unfunded mandates. By specifically ordering agencies to re-prioritize budgets, officially moving risk to the agency CIO, and offering up alternative funding like the TMF and CDM programs, OMB and the administration is signaling that cybersecurity is no longer subservient to mission priorities.

Jean-Paul Bergeaux is Federal CTO at GuidePoint Security.

Comments