Earlier this week, the White House announced that the Office of Management and Budget (OMB) has released a draft of the Federal Zero Trust Strategy—a plan for moving federal civilian executive branch (FCEB) agencies toward adoption of a "zero trust" cybersecurity architecture. Adopting zero trust principles will be a significant undertaking for FCEB agencies but key to the federal government's cloud migration strategy. The Federal Zero Trust Strategy calls for agencies to implement rigorous access and monitoring controls, regardless of where the users, devices, or systems are located.

The same day as the White House announcement, the Cybersecurity Infrastructure & Security Agency (CISA), a part of the Department of Homeland Security, released drafts of two related technical documents aimed at FECB agencies: its Cloud Security Technical Reference Architecture and its Zero Trust Maturity Model.1 All three of these documents support President Biden's May 2021 Executive Order No. 14028, "Improving the Nation's Cybersecurity," (EO 14028), which directed FCEB agencies to accelerate their movement to secure cloud computing services and to adopt zero trust principles for their cybersecurity defenses. DWT discussed EO 14028 in a prior blog post.

Companies that provide technology services to the federal government—particularly those supplying cloud computing services through the FedRAMP program—should review this week's releases as they are likely to drive agencies' security priorities and procurement decisions for years to come. OMB and CISA have invited public comment on these materials for the next several weeks.

OMB's Federal Zero Trust Strategy

The draft Federal Zero Trust Strategy identifies priorities and sets baseline policies and technical requirements for FCEB agencies in adopting a "zero trust architecture" security model. Zero trust architecture, or "ZTA," has become something of a buzzword in the cybersecurity industry during the last couple of years, but its core concepts are not new.2 In simple terms, ZTA rejects the idea of a clear security "perimeter"—i.e., a boundary between the untrusted outside of a computer network and the trusted inside—focusing instead on limiting, verifying and monitoring access to network services regardless of where servers, users or devices are located.

Adoption of ZTA principles—within the federal government and the private sector—has become increasingly common with the rapid migration to cloud computing and the pandemic-induced shift to work from home. Both of those factors make a strict perimeter-based security model increasingly untenable because they make it much harder to define the perimeter. For the federal government, as set forth in EO 14028, migration to the cloud and adoption of ZTA go hand-in-hand as part of the government's security modernization strategy.

The Federal Zero Trust Strategy requires FCEB agencies to achieve specific ZTA-related goals by the end of fiscal year 2024. Those goals are grouped into five categories: identity, devices, networks, applications, and data. Specific goals for agencies include:

  • Implementing enterprise-wide identity and authentication systems using single sign-on (SSO) and multi-factor authentication (MFA);
  • Deploying endpoint detection and response (EDR) tools across the agency's computers, and developing the capability to share threat data with other agencies;
  • Encrypting web traffic and email traffic;
  • Segmenting agency networks around individual applications (making it more difficult for an attacker who has compromised one application to move to others);
  • Retaining outside firms to perform security testing and assessment;
  • Maintaining a public vulnerability disclosure program;
  • Safely moving applications to be Internet accessible (and therefore not reliant on being behind a security "perimeter");
  • Auditing access to sensitive data stored in commercial clouds; and
  • Improving retention of and access to security logging.

OMB is accepting public comment on the Federal Zero Trust Strategy through September 21, 2021. Comments may be submitted by emailing zerotrust@omb.eop.gov.

CISA Cloud Security Technical Reference Architecture and Zero Trust Security Model

Also on September 7, 2021, the Cybersecurity & Infrastructure Security Agency (CISA), a part of the Department of Homeland Security, publicly released its Cloud Security Technical Reference Architecture (TRA) and Zero Trust Maturity Model.

The Cloud Security TRA sets forth a Cloud Security Posture Management (CSPM) program, which establishes various security outcomes FCEB agencies should achieve and capabilities they should develop when migrating data storage to the cloud. Following EO 14028, the Cloud Security TRA discusses how the CSPM can facilitate ZTA, such as through the adoption of enterprise-wide identity. Like the Federal Zero Trust Strategy, the Cloud Security TRA emphasizes various technical security controls such as enterprise-wide identity, strong data encryption, continual monitoring, and network segmentation.

CISA's Zero Trust Maturity Model, which was previously released to agencies but only publicly released this week, mirrors OMB's document by grouping ZTA into the same five categories (which it calls ZTA "pillars"). The maturity model then defines three maturity levels—traditional, advanced, and optimal—that agencies can achieve for each category. CISA's maturity model is intended to complement the Federal Zero Trust Strategy and guide agencies on its implementation.

CISA is accepting public comment on both the Cloud Security TRA and the Zero Trust Maturity Model through October 1, 2021. Comments can be submitted by emailing tic@cisa.dhs.gov.

FOOTNOTES

1  The Department of Defense has its own Zero Trust Reference Architecture: https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf.
2  The National Institute for Standards and Technology (NIST) published its Special Publication (SP) 800-207, "Zero Trust Architecture," in August 2020. SP 800-207 provides a brief history of ZTA, linking the concept's development to security research from the early- to mid-2000s.