Summary of the January 2022 Memo on Federal Zero Trust Strategy

Given the vast amounts of data the United States maintains, the government has a unique responsibility to secure its own IT infrastructure to minimize the potential harm from a cyber intrusion. With persistent and inventive threats from bad actors in mind, the Biden Administration announced it is moving toward a Federal Zero Trust Architecture (ZTA) by the year 2024. On January 26, 2022, the Office of Management and Budget (OMB) issued a memo outlining steps for agencies to take to ensure compliance by the deadline.

The memo focuses on five pillars of ZTA developed by the Cybersecurity and Infrastructure Security Agency (CISA) and are summarized below:

1. Utilize enterprise-managed identities to access applications necessary for work
2. Establish a complete inventory of devices and endpoints operating and authorized to access government networks
3. Encrypt all DNS requests and HTTP traffic within government networks
4. Consider all applications and workloads as internet-connected and implement regular testing from internal and external parties
5. Classify data in cloud services, allowing for proper access and auditing

1. Utilize enterprise-managed identities to access applications necessary for work

OMB envisions a centralized identity management system for federal employees which seamlessly integrates into all applications and platforms. The overarching security goal is that data is accessed by the right people, at the right time, for the right reasons. A centrally managed system also enhances an agency’s ability to understand typical user behavior, thereby detecting anomalous behavior. Eventually, this authentication system should work across agencies given the collaborative nature amongst them.

When accessing data, systems must require multi factor authentication (MFA) at the application-level, rather than the network-level. The memo recommends use of the Personal Identity Verification (PIV) or World Wide Web Consortium (W3C) standards that are resistant to phishing attempts. It also explicitly calls for removing authentication methods that are susceptible to attack including SMS, voice calls, one-time codes, or push notifications. Lastly, special characters and password rotation should be removed from password policies.

Ensuring people access the right data is a high priority for the government. Therefore, agencies should implement attribute-based access controls (ABAC) instead of role-based access controls (RBAC). This posture allows individuals to access resources based on who they are, what they’re trying to access, and what device they’re using.

2. Establish a complete inventory of devices operating and authorized to access government networks

Agencies must maintain a complete and accurate inventory of devices through the CISA’s Continuous Diagnostic and Mitigation (CDM) program. This ensures that agencies understand the devices, users, and systems interacting within the organization. The memo envisions CDM supporting the cloud infrastructure through automated discovery to facilitate an up-to-date inventory of devices.

Furthermore, agencies must enact endpoint detection and response coverage that meet CISA’s technical requirements. CISA will procure the necessary tools for agencies to meet these requirements as needed.

3. Encrypt all DNS requests and HTTP traffic within government networks

Agencies should make every effort to encrypt, inspect, and analyze all network traffic using the latest protocols. They should also analyze unencrypted traffic for unusual behavior through machine learning, metadata analysis, and other review techniques.

Additionally, agencies must utilize encrypted DNS and HTTP across all networks. To facilitate this implementation, all .gov domains should be preloaded into web browsers so access can only be made through HTTPS. This will eventually lead to all .gov domains being preloaded, thereby further securing all interfaces across the country.

CISA will evaluate open standards for encrypting emails and does not make a recommendation at this time. The memo recognizes that there are many challenges in securing email, but, given its ubiquity in daily work, it must be a viable means of communicating.

With those structural changes, agencies should pivot to an enterprise-wide architecture strategy which isolates applications and the environment. They are called to create a roadmap and budget needed to reach full zero trust implementation in their cloud architecture by the specified deadline.

4. Consider all applications and workloads as internet-connected and implement regular testing from internal and external parties

The section of the memo calls for all Federal applications, regardless of who created them, to be rigorously and continuously reviewed as part of a Security Assessment Report (SAR). Given the limited resources of government agencies and unlimited talent in the private sector, agencies are encouraged to augment their own testing with external parties to assess security. CISA and GSA will develop a procurement strategy that agencies can follow to initiate these tests.

Furthermore, agencies should create a channel to receive unprompted external vulnerability reports by September 2022. They must also have a plan to address these potential security flaws in a timely manner. OMB plans to randomly audit the latest security reports to ensure proper compliance.

Lastly, agencies must posture toward automated deployment strategies to enable least privileged architectures. This will enable a cloud-based environment that restricts manual code modifications, thereby strengthening the agency as a whole.

5. Classify data in cloud services, allowing for proper access and auditing

Federal agencies must enable cloud security services to discover, classify, and protect sensitive data. These services must include agency-wide logging and information sharing, thereby tracking who is accessing data, what they are accessing, and when they are doing so. The policies must cover databases, loosely structured data systems, and intermediate datasets. To that end, the Chief Data Officers (CDO) Council and the Federal CISO Counsel will create a working group on how to best address these issues.

As part of proper data management, security orchestration, automation, and response (SOAR), should be utilized. Automating security responses is difficult, so agencies should implement machine learning (ML) to detect in real-time unusual or suspicious behavior. However, given the complexities of ML, agencies should first identify data categories that can be analyzed using scripts or other simple technical means to get comfortable with automating these security reviews. Lastly, agencies should include auditing mechanisms to provide historical records of access.

Final Thoughts

This OMB memo offers important recommendations and key ingredients for agencies to implement a Zero Trust Architecture across the entire Federal government. By leveraging well-known and tested ZTA methodologies, the United States government is hardening critical IT infrastructure against the persistent adversaries of the future.

For any questions or comments on the analysis above — please contact:

Phillip Carrington, Manager — Phillip.Carrington@DayBlink.com

Justin Whitaker, Partner — Justin.Whitaker@DayBlink.com