A new draft memo seeks to build out the federal government’s underlying zero trust architecture in order to smooth the path for a coterie of recent cybersecurity related executive orders, initiatives and mandates from President Joe Biden.
The memorandum, released Tuesday by the Office of Management and Budget, requires major progress on the part of agencies over the next three years in the areas of identity management, device and asset tracking, encryption of federal network traffic and software testing. The document is open to feedback from agencies and the public until Sept. 21. As part of the effort, the Cybersecurity and Infrastructure Security Agency at DHS released draft versions of their own zero trust maturity model and cloud security guidance, both of which are accepting public comment until Oct. 1.
Like every other organization, the federal government “can no longer depend on perimeter-based defenses to keep its critical systems and data safe,” the memo states. Indeed, while federal cybersecurity systems like Einstein and Continuous Diagnostics and Mitigation were busy scouring federal networks, hacks like the SolarWinds and Microsoft Exchange campaigns were able to bypass those defenses by explicitly targeting the applications and servers that agencies already trusted.
While those systems aren’t going anywhere soon, the new strategy delineates a clear attempt to center the government’s cybersecurity away from the perimeter and towards an environment where software, hardware and people are regularly validated and verified.
The goal: by the end of fiscal 2024, government agencies should have an enterprise identity system in place for staff, contractors and partners to access applications that includes phishing-resistant multi-factor authentication, a complete inventory of IT devices and hardware in place and the ability to conduct detection and incident response on them, network segmentation for internal systems and encryption of all DNS requests and HTTP traffic, routine testing of application code for security weaknesses in tandem with vulnerability disclosure programs, and enterprise-wide logging and information sharing practices around cybersecurity threats.
The White House is also pushing for a raft of changes to identity management practices in government, including single sign on schemes for different applications and cloud services. Agencies must also have secure password policies as well and use a CISA-approved solution to cross-check internal passwords against breached data released or leaked online.
The requirements around code testing, particularly the push to get agencies to use both automated testing tools in tandem with more targeted manual and human-directed reviews, reflect the Biden administration’s view that software security sits at the heart of the many of the most damaging hacks in recent memory.
“For federal applications to withstand sophisticated probing and attack, agencies need to go beyond implementing and documenting security controls,” OMB warns. “To gain confidence in the security of their systems, agencies will need to analyze their software and its deployed functionality with a comprehensive and rigorous approach, whether their software is built internally or by a contracted vendor.”
The sprawling continuous diagnostics and mitigation program is still viewed as “foundational” to the government’s asset management goals, but will be adjusted to incorporate more least access privilege features and better align with the security challenges posed by cloud infrastructure. Eventually, the government wants to ensure that “every human-operated enterprise-provisioned device has an agency-chosen endpoint detection and response (EDR) tool.”
It will have to incorporate more zero trust functionality of its own to limit who has access to the tools and data. Similar to how experts sometimes worry about the security implications of giving antivirus programs and endpoint detection and response systems near complete control and access over your network, the government is worried that CDM’s own visibility into federal networks and devices could be compromised or used as a vector for a broader hacking campaign.
In fact, a key argument from the U.S. government while defending their ban on agencies buying or using Kaspersky Labs software was that the exquisite control antivirus programs have provide over host systems and devices and local Russian laws around data storage made them too risky to leave in federal networks. The concern here is similar.
“CISA must assume that its own monitoring infrastructure could become compromised and adjust the CDM program accordingly,” the memo warns.
It’s the latest shoe to drop from the Biden White House in a year where the administration has sought to put its stamp on federal cybersecurity operations and policy as it responds to a wave of damaging hacks against government, industry and critical infrastructure. That includes a massive cybersecurity executive order modernizing security practices for agencies and contractors, a raft of announcements with the private sector last month kicking off a range of initiatives to shore up cooperation on supply chain security and the cybersecurity workforce, enhanced requirements around data logging and others.
