OMB preparing agencies for three-year sprint to a new cyber standard

The National Institute of Standards and Technology published its zero trust architecture special publication in August 2020.

The Defense Department issued its zero trust reference architecture in April.

In May 2018, the Federal Chief Information Officer’s Council asked the industry group ACT-IAC to evaluate the technical maturity, availability for procurement and important issues related zero trust.

And then when you add the dozens of vendors who jumped on the zero trust bandwagon and are promoting their assorted capabilities, the entire discussion around what is zero trust has become murky and lacked precision.

This is what the Office of Management and Budget’s draft zero trust strategy, released on Sept. 7, is trying to change by bringing this cybersecurity approach together across government. The strategy is one of several ongoing deadlines detailed in the May executive order from President Joe Biden.

Chris DeRusha is the Federal Chief Information Security Officer.

“We didn’t feel like there was a clear agency roadmap for them to follow,” said Chris DeRusha, the federal chief information security officer, in an interview with Federal News Network. “That led us to take the approach that you see in the strategy that we’ve put out for public comment, where we’re taking a phased approach organized around this as draft capability maturity model [from the Cybersecurity Infrastructure Security Agency], defining set targets for agencies over a three-year period to achieve a certain first level of maturity across all the zero trust pillars, and is designed to get agencies all moving in the right direction. We will support that with communities of practice, sharing best practices, surging technical support, where possible, and really just sort of learning from this first phase for us of a multi-year journey that we view this as.”

The draft strategy, which is open for public comment through Sept. 21, tries to lay out concepts and end results versus a prescriptive approach to reaching full maturity under CISA’s zero trust pillars.

“This strategy does not attempt to describe or prescribe a fully mature zero trust implementation. Nor does it discourage any agency from going beyond the actions described herein. The purpose of this strategy is to put all federal agencies on a common roadmap by laying out the initial steps agencies must take to enable their journey toward a highly mature zero trust architecture. This recognizes that each agency is currently at a different state of maturity, and ensures flexibility and agility for implementing required actions over a defined time horizon,” the draft strategy stated. “The strategy also seeks to achieve efficiencies for common needs by calling for governmentwide shared services, where relevant. Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the federal government.”

5 pillars, 2024 deadline

OMB broke down the strategy across the five pillars: identity, devices, network, applications and data.

Each of these areas have detailed goals and, in some cases, specific deadlines, including reaching a basic zero trust maturity level by the end of fiscal 2024.

“Departments and agencies will have 30 days from the publication of this memorandum to designate and identify a zero trust architecture implementation lead for their organization. OMB will rely on these designated leads for government-wide coordination and for engagement on planning and implementation efforts within each organization,” the draft strategy stated.

DeRusha said the draft strategy recognizes that agencies already are heading down a path toward implementing a zero trust architecture. At the same time, however, he said OMB wanted to make sure there were no gaps in the implementation, which is partly why the administration is asking so much from agencies over the next three years.

“Although agencies are making a lot of progress on certain areas, we find that there’s several other areas, which are far less mature across the federal enterprise,” he said. “For us, this is really about being clear what the priorities are. That’s what we’re doing with public comment, making sure that we’ve got those initial priorities right and seeking that feedback and making adjustments if others who are further along in the journey have different lessons for us. Although it feels like a lot, and it is, I think that it is clear to us that agencies are already on this path. We’re just trying to bring it all together and make one clearly defined roadmap that we can all learn from together, benchmark progress on and really kind of move out as one federal enterprise.”

Dealing with an unfunded mandate

Part of the challenge OMB and agencies face with the move to zero trust will be funding. While OMB tells agencies to submit an implementation plan for fiscal 2022 to 2024 and a budget estimate for 2023 and 2024, the reality is this is another unfunded mandate.

DeRusha acknowledged the funding challenge, but also said OMB expects agencies to reprioritize how it funds cybersecurity initiatives and take a hard look at what they are investing in.

“We’re definitely working closely with our resource management colleagues within OMB to make sure they understand what we mean by the zero trust strategic priorities, and the types of investments we’re expecting to see from agencies,” he said. “In the plan, we’ve asked for 60 day implementation and resource plans back from agencies, which we plan to be heavily involved in ensure are the right investment choices. We’re moving fast and having some of those conversations now because the budget processes is definitely moving forward in earnest for 2023.”

DeRusha added that most agencies have reacted positively about moving toward a standardized and consistent approach to zero trust.

Another option for funding OMB highlighted in the draft memo is the Technology Modernization Fund and agency working capital funds.

DeRusha said agencies submitted dozens of project proposals to the TMF Board seeking money for zero trust efforts.

“We’re thinking that’s a great opportunity to really use the oversight and governance and help that we provide in the TMF structure to get some of those assessments of where some big, medium and small agencies are at currently, and what they’re going to need to do to be successful in helping on that journey,” he said. “We can use those lessons learned to help everyone else independently from that.”

After OMB receives comments by Sept. 21, DeRusha said the goal is to get the final strategy out as soon as possible, balancing the urgency of the cyber environment with the need to make sure they have the right plan to achieve the goals.

“This is a top priority for this administration’s senior cyber leadership. I think you saw that in our announcement. We came out with one voice, one website for both DHS CISA’s documents and this strategy. Everybody wants to see agencies successful in this journey,” DeRusha said. “It’s true three years sounds like a long time, but in our world it’s not. That’s why we’re taking this in phases. We’re trying to be iterative here, and put out this initial strategy, initial direction, galvanize the public to give us feedback, and make sure it’s the best plan that we can draw out today. Then we can be agile about that and do this in phases.”

Related Stories

    (Amelia Brust/Federal News Network)

    Federal CISO DeRusha: FISMA report details a key part of cyber roadmap

    Read more
    (AP Photo/Lynne Sladky)FILE - In this Nov. 20, 2020, file photo a U.S. Department of Homeland Security plaque is displayed a podium as international passengers arrive at Miami international Airport where they are screened by U.S. Customs and Border Protection in Miami. The damned-if-you-pay-damned-if-you-don’t dilemma on ransomware payments has left U.S. officials fumbling about how to respond. While the Biden administration “strongly discourages” paying, it recognizes that failing to pay would be suicidal for some victims. (AP Photo/Lynne Sladky, File)

    CISA sees zero trust adoption coming into focus under cyber executive order

    Read more

Comments

Sign up for breaking news alerts