Still wondering what the “new normal” will look like? Federal cyber leaders say it looks an awful lot like zero trust — at least on the IT side of things.
President Joe Biden’s executive order 14028 in May, “Improving the Nation’s Cybersecurity,” was the catalyst for three documents to help agencies adopt zero trust cybersecurity principles. The Office of Management and Budget released a draft Federal Zero Trust Strategy, to adapt civilian agencies’ enterprise security architecture to zero trust principles. OMB’s Eric Mill said that if he had to pick a central theme and umbrella effort for the different security initiatives at the organization, this would be it.
Mill is senior advisor to the administrator in the Office of the Federal Chief Information Officer, within the Office of E-Government and IT at OMB. He said the Biden administration is leaning into stronger multi-factor authentication — especially to tackle phishing — and is pushing for stronger encryption.
“Not just for externally-facing traffic, but really taking the concept of untrusted networks as seriously as possible and encrypting traffic within federal environments, by only addressing things like encrypted DNS and the like,” he said during a webinar hosted by ATARC on Thursday. He also said the administration is emphasizing heavier focus on validating security and practice on application testing, and putting security at the application level wherever possible, “really proving to ourselves that things are secure by throwing as many public and internal resources at it as possible.”
The EO’s elements have been discussed before but the administration’s attempt to put them together in a coherent way, pulling the pieces of the government together, is a positive development, Mill said.
The Federal Zero Trust Strategy also aligns with the Zero Trust Maturity Model, which the Cybersecurity and Infrastructure Security Agency developed around data, applications, networks and identity. This model is open for public comment through this Thursday, Oct. 1.
“It really is imperative for us to look at how we can support the agencies knowing we’ve made a heavy investment in [continuous diagnostics and mitigation], as well as what we’ve been doing with [Trusted Internet Connections] and really being able to map those services and capabilities to how we can support zero trust and how agencies can recast existing capabilities — especially enterprise investments to support micro segmentation,” CISA Senior Technical Advisor John Simms said.
The maturity model will also help the U.S. Digital Service prioritize what to do next. Elizabeth Schweinsberg, a USDS Digital Services expert, said that inside the model are three levels — traditional, advanced and optimal — as well as suggested questions to figure out which level one has reached. She said that translates to specific products or organization uses.
“Because maybe not everything needs to be at optimal?” she said. “There’s a lot of information that goes on our website that is publicly accessible. So maybe those, where they are stored internally, maybe it only needs advanced?”
She said the “castle and moat” approach to network security, wherein anyone inside the network is trusted automatically, served agencies well for decades so it will be interesting to see what zero trust can do.
Implementing the Federal Zero Trust Strategy will take considerable partnership and coordination among USDS, CISA, OMB, the Defense Department and other agencies. Mill said they have had a lot of practice over the last eight-to-nine months and while he would not claim the federal government operates entirely smoothly, he said pre-existing working relationships between the agencies in question mean organizations will keep each other in the loop.
Although that coordination can be undermined even within an agency with something as simple as working on the same Word file. That was the case for USDS, Schweinsberg said.
“Because USDS has members who work solely at some of the different departments and agencies, and some who work for USDS, which is part of OMB. So we didn’t even all have access to the same set of tools other than Word running on our local computers,” she said. “I’m becoming a bit of a MAX.gov convert. There are many options for your document sharing and there may be some that that feel more natural and integrated, but it is an improvement over emailing documents around with your initials at the end.”
These types of logistics are probably going to come up more frequently in federal agencies, she said.