The White House has set a goal to modernize federal cyber defenses over the next several years using a “zero trust” approach, and agencies just delivered their initial plans to the Office of Management and Budget.
The plans describe how each agency proposes to adopt various zero trust approaches and capabilities by the end of fiscal year 2024, a goal set out by the White House’s zero trust strategy released in January. The memo required agencies to submit the implementation plans by March 27.
Chris DeRusha, the federal chief information security officer at OMB, said the plans will give his team a good idea of where each agency stands.
“While these are the initial cut from the agencies, we’ve been clear that we’re going to want to have some back and forth with them to make sure that they really do align to the budget, that they aligned to our strategy, and that they align to a strategy that OMB sort of agrees the agency should be taking,” DeRusha told reporters after speaking at an April 6 conference hosted by the Institute for Critical Infrastructure Technology in Arlington, Virginia. “We’re doing that in collaboration”
The OMB memo sets some specific deadlines beyond the FY 24 goal. For instance, within a year, agencies are required to support phishing-resistant multifactor authentication for all of their public-facing services.
But for the most part, agencies were able to tell OMB when they plan on reaching zero trust milestones as part of their implementation plans. For instance, the plans should describe how and when the agency “plans to isolate its applications and environments,” according to the strategy memo.
DeRusha said each agency’s journey will be different, especially given the vast differences in agency size and resources.
“I don’t think that you can have a one size fits all approach,” he said. “As we’re getting the small- and medium-sized agency plans in, we’re going to look at them a little bit differently than we would a huge, 250,000-person agency.”
While agencies had largely finalized their budget requests by the time the final zero trust strategy was released in January, DeRusha said OMB worked with agencies to ensure their budgets included funding for zero trust capabilities.
“I’m feeling pretty good about what we’re able to do in ’23 to fund from the strategy and make it successful,” he said.
Some agencies included more detailed zero trust plans in their FY 23 budget requests than others.
For instance, the Commerce Department is requesting $50 million in FY 23 specifically for a zero trust program. According to budget documents, the funding is pegged for endpoint detection and response capabilities, more centralized log management, and endpoint encryption.
Meanwhile, the Treasury Department is asking for about $86 million in FY 23 specifically for zero trust architecture implementation. Treasury’s near-term actions include “changes to password policies, building a new data categorization model, and making one ‘internal’ systems accessible over the Internet,” according to budget justification documents.
Federal cybersecurity roles
Meanwhile, Congress is looking to update federal cybersecurity standards for the first time since the Federal Information Security Modernization Act since 2014. Lawmakers say the law needs to reflect changes in cyber threats, new concepts like zero trust, and the creation of the Cybersecurity and Infrastructure Security Agency in 2018.
In particular, the legislative effort seeks to put CISA in charge of overseeing more aspects of agency cybersecurity efforts, a role traditionally filled by OMB and the federal CISO.
DeRusha said there’s a role in the “ecosystem” for his office, CISA, and the new White House national cyber director. But as the House and Senate negotiate a final FISMA reform bill, DeRusha said the law needs to be clear about federal roles and responsibilities.
“I think one thing we don’t want to see is a change that ends up making it harder for everybody to sort of complete their mission and potentially more confusing for agencies to work with,” DeRusha said. “We don’t want those outcomes. So while we need to acknowledge everyone’s authorities and roles, and I think we’re making good progress in that space, we are mindful of that concern.”