CYBERSECURITYMoving the U.S. Government Toward a Zero-Trust Architecture
The Office of Management and Budget (OMB) released a Federal strategy aiming to move the U.S. government toward a “zero trust” approach to cybersecurity. The new strategy is an important in in implementing the administration’s Executive Order on Improving the Nation’s Cybersecurity, which focuses on advancing security measures which significantly reduce the risk of successful cyberattacks against the digital infrastructure of the federal government.
The Office of Management and Budget (OMB) released a Federal strategy aiming to move the U.S. government toward a “zero trust” approach to cybersecurity. The new strategy is an important in in implementing the administration’s Executive Order on Improving the Nation’s Cybersecurity, which focuses on advancing security measures which significantly reduce the risk of successful cyberattacks against the digital infrastructure of the federal government.
Here is the OMB strategy paper’s Executive Summary.
In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data. As President Biden stated in EO 14028, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
A transition to a “zero trust” approach to security provides a defensible architecture for this new environment. As described in the Department of Defense Zero Trust Reference Architecture,(1) “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
This strategy envisions a Federal Government where:
· Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
· The devices that Federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
· Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
· Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
· Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
