Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Editor’s note: After initial publication of this story, the White House published its zero trust strategy, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” This story has been updated with additional details.
The White House’s new zero trust strategy gives agencies a chance to overhaul how employees and citizens access federal systems, as the Office of Management and Budget looks to balance a near-term imperative to improve security and a long-term goal of revamping digital authentication.
Eric Mill, senior advisor to the federal chief information officer, offered a preview of the document Tuesday during a conference hosted by the Better Identity Coalition.
The White House released the finalized strategy on Wednesday morning. The strategy features a “significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication.” The memorandum sets a requirement for agencies to achieve zero trust principles by the end of fiscal year 2024.
But Mill said the strategy is not just about deadlines.
“It’s not just about multifactor authentication,” he said. “We’re looking at a major architectural shift for the federal government. And we know that’s a multi-year process. We’re trying to both design an oversight and timing process that reflects the urgency with which we need to move and the reality of the size of the work that is happening.”
Agencies have 60 days to submit an implementation plan to OMB and the Cybersecurity and Infrastructure Security Agency, according to the strategy. Agencies will need to “internally source” funding for FY-22 and FY-23 to pursue the zero trust goals, or seek alternative resources like working capital funds or the Technology Modernization Fund.
Within 30 days, agencies also have to designate a zero trust lead.
“There’s an opportunity here to enable some very new user experiences, but we haven’t really had the opportunity to revisit assumptions around how users log into systems for a long time,” Mill said.
One of the key priorities for OMB is improving defenses against phishing, one of the most common types of cyber attacks. Mill said OMB wants agencies to adopt multifactor authentication solutions that are resistant to phishing attacks. He highlighted SMS text messages and push notifications as methods that are still susceptible to phishing.
In addition to the continued use of “Personal Identity Verification,” or PIV, cards, Mill’s presentation showed OMB will require the adoption of web authentication standards under FIDO2 standards. The FIDO alliance is an open industry association that develops and promotes authentication standards.
“We’re really specifically going for broadening the use of other kinds of phishing resistant methods, and that’s FIDO2 and Webauthn in the real world, into federal agencies alongside PIV,” Mill said. “We’re trying to be really as clear as we possibly can that this is something that agencies can and should be doing now.”
While the zero trust strategy is largely focused on the federal enterprise, Mill also said it’s often difficult to draw a clear distinction between internal agency environments and public-facing networks.
He said OMB will require that public-facing services that use multifactor authentication give the public multiple options for using authentication and not impose security restrictions that would lead to less accessibility and equity. And that in turn should help improve usability for agencies as well.
“There are a lot of use cases where the federal government has services that are not used by the whole general public, but by specific subsets, maybe they’re contractors, maybe the state and local agencies,” he said. “It’s going to be important for us to be able to use the same things as people span different systems.”
Mill also said OMB “remains enthusiastic” about the potential to leave passwords behind, with many services turning to biometric authenticators and PINS as more secure log-in methods.
“We certainly see that as part of the future of where the government should go,” he said.
But with passwords remaining a major authentication method for the foreseeable future, Mill said OMB is focused on getting the federal enterprise to drop outdates practices, like rules that require employees to change their password every 90 days or use specific composition measures, such as upper- and lower-case letters.
“These have at this point been widely studied and demonstrated to reduce security as well as reduce usability,” Mill said. “And so this is one of those opportunities that we have to improve security and usability at the same time. And these have been laid out pretty clearly by NIST now in their digital identity standards for several years, and we’re really doubling down.”