The transition to zero trust: How prepared are federal agencies?
By Matt Malarkey | Date published: 02 March 2022
Spurred on by the recent rise in cyber attacks on critical national infrastructure, in 2021 President Biden first set the expectation for all federal agencies to implement zero trust architecture (ZTA) within their networks. In the months following the Cyber Executive Order, federal agencies have been scrambling to meet the ambitious timeline given to them to get their zero trust strategies in place.
The National Institute of Standards and Technology (NIST) defines zero trust as the concept of minimizing uncertainty in enforcing accurate, least privilege per-request access decisions in a network that is viewed as being compromised.
The goal of a zero trust approach is to prevent unauthorized individuals from accessing data and services. Access control enforcement is made to be as granular as possible.
Last month, the Office of Management and Budget (OMB) released a memorandum setting forth the requirement for federal agencies to meet certain deadlines for the implementation of ZTA. It is now expected that agencies will achieve a number of zero trust goals by the end of the 2024 Fiscal Year.
These strategic goals have been aligned with the Cybersecurity & Infrastructure Security Agency’s (CISA) five pillars, as outlined below:
Staff within agencies will use enterprise-managed identities to access all systems and applications. Multi-factor Authentication (MFA) is expected to be in use.
A complete inventory of every device that the Federal Government operates and authorizes for use will be available. The ability to detect, prevent and respond to cyber attacks on every one of these devices will be necessary. Networks All HTTP traffic and DNS requests will be encrypted within their environment. A plan to isolate environments and break down perimeters should be executed.
Applications and Workloads
All applications should be treated as though they are internet connected. Rigorous testing should take place routinely and external vulnerability assessments are encouraged.
A clear shared path to deploy protections that use data categorization will be known. The use of cloud-based services to monitor access to data is expected and an organization wide information logging and sharing system should be implemented.
In the timeline set out by the OMB, federal agencies were required to have designated a zero trust strategy implementation lead within 30 days of the memorandum publish date (January 26). Within 60 days, agencies must have built upon their ZTA plan that developed following Biden’s Executive Order (EO 14028). Specific requirements for this are set out in the Memorandum.
Additionally, it is expected that agencies will source the necessary funding for their ZTA goals during Fiscal Year 2022 and Fiscal Year 2023.
So, how far have federal agencies got with the implementation of their zero trust strategies?
A report by MeriTalk and Merlin Cyber assessed how confident agency decision makers feel in regard to zero trust.
It found that 92 percent said recent federal initiatives had increased their confidence in the organization’s ability to implement zero trust.
However, 87 percent showed concern about the speed in which the Federal Government expects a strategy to be implemented. The concern is that the deadlines set by the Executive Order and OMB memorandum will lead to rushed, ineffective implementation.
Agencies have so far shown different approaches to adopting the zero trust principles. Around three quarters of those surveyed had taken an aggressive approach, while one quarter have only adopted ZT where they feel it is necessary.
There have been some differences between DoD agencies and civilian agencies, with DoD agencies being far more likely to prioritize intelligent automation of security actions in their strategies. A higher percentage of DoD agencies are also moving reliance to encryption and application testing instead of perimeter security. For civilian agencies, the priority is enabling the safe and robust use of cloud services.
Zero trust relies upon a baseline level of protection
Implementing zero trust architecture is important, its efficacy is contingent upon implementing baseline protection levels that are in compliance with existing IT security policies and standards.
Carrying out regular audits of network devices is needed to detect when the actual state of network configurations drift from the desired state, and then remediate misconfigurations that make networks vulnerable to attacks.
Government agencies and contractors in the federal supply chain have other compliance requirements, such as NIST 800-53 and NIST 800-171, which seek to ensure that networking devices are managed and compliant to IT security policies. Failing to meet these requirements can undermine zero trust principles as well as leave organizations in the supply chain open to financial penalties and loss of contracts.
Titania’s auditing solution Nipper accurately discovers vulnerabilities automates prioritizing risks and provides precise remediation advice with exact technical fixes. Nipper can be used to automate the assessment of 89% of NIST 800-171 core network controls.
Request a free trial today to see how Titania Nipper can be used by your organization as part of your strategy to keep the network secure and compliant.