White House hits the gas on zero trust

Newly released strategy and technical guidance documents covering zero trust and cloud security are open for comment as part of a federal push to improve federal government cybersecurity.

Zero trust (Shutterstock.com)

NOTE: This story first appeared on FCW.com.

The push to convert federal networks, systems and devices to a zero trust security architecture is accelerating, with the release of three new draft guidance documents as part of the White House administration’s push to improve the nation’s cybersecurity.

The documents, including the federal zero trust strategy from the Office of Management and Budget and a zero trust maturity model and cloud security technical reference architecture from the Cybersecurity and Infrastructure Security Agency, are meant to provide government agencies with the roadmap and resources required to sustain a multi-year push towards zero trust. That effort is an outgrowth of the cybersecurity executive order signed by President Joe Biden earlier this year.

OMB and CISA released the request for comments on a Tuesday, saying the draft documents were meant "to accelerate agencies towards a shared baseline of early zero trust maturity" while assisting them as they implement zero trust architectures. The effort includes the launch of a joint website from OMB and CISA covering zero trust implementation.

OMB's draft federal zero trust strategy includes a set of deliverables due by the close of fiscal year 2024, including setting up enterprise-wide identity management at agencies and adopting multi-factor authentication, the establishment of comprehensive device inventories and encrypting data on agency networks. The OMB document also tasks agencies with getting rid of password rotation requirements and the use of special characters, "which have been known to lead to weaker passwords in real-world use." Instead, OMB wants agencies to consult National Institute of Standards and Technology guidance on appropriate passwords and passphrases as a component of a multi-factor authentication scheme.

The cyber executive order signed in May requires the federal government to advance towards a zero trust architecture and mandated the strategy and technical guidance documents released this week.

CISA deputy executive assistant director Matt Hartman said at a June ACT-IAC panel that the White House had begun collaborating with his agency and others ahead of the cyber order to begin drafting new guidance around transitioning to advanced security systems.

"It's important to consider that many of these tasks [in the executive order] are sprints to develop strategies," he said at the time. "The administration fully recognizes that many of the core issues being addressed will only be solved through years - literally years - of focus and continued investment."

The comment periods for the CISA documents on cloud security architecture and zero trust maturity model runs through October 1. Comments on the zero trust guidance from OMB are due by September 21.