Trust issues: three tips for agencies implementing the OMB zero trust guidelines


The Biden administration has made zero trust a priority for the federal government, going so far as to issue an executive order ordering agencies to develop cybersecurity plans that include a zero trust architecture.

The latest OMB guidelines highlight the urgency of the problem: “In today’s threat environment, the federal government can no longer rely on perimeter-based defenses to protect critical systems and data. Meeting this challenge will require a major paradigm shift in the way federal agencies approach cybersecurity. “

Agencies have until the end of September 2024 to meet five specific zero-trust security goals that focus on identity, device, network, application and data management.

But like many cyber challenges, it takes more than just deploying a solution or strategy. Whether it’s changing the way the government thinks about cybersecurity or leveraging the tools already available to federal IT teams, agencies have a lot of work ahead of them.

By addressing sensitive points in the process now, agencies will not be caught off guard. With that in mind, below are some tips for agencies to think about before implementing a zero trust architecture using OMB guidance.

Make a cultural shift

Building a zero-trust architecture in an agency’s cybersecurity framework isn’t just about deploying the technology and calling it a day. It will require a fundamental change in the way federal IT teams – and the federal workforce as a whole – view cybersecurity.

Zero trust can be broken down into three broad actions: verify every user, validate every device, and provide only the access that is needed. It sounds simple, but it goes against long-standing habits of prioritizing perimeter defense and believing that users of the network perimeter can be trusted.

A fundamental principle of zero trust is that network users should not be granted greater trust than users outside the network perimeter or even working outside the network.

Use available resources

Agencies planning to implement a zero trust architecture under OMB leadership and using CISA’s maturity model should not try to reinvent the wheel.

For example, President Biden’s cybersecurity executive order requires agencies to deploy an Endpoint Detection and Response (EDR) initiative to “support the proactive detection of cybersecurity incidents within government infrastructure. federal government, active cyberhunting, containment and remediation, and incident response ”.

In this case, federal IT teams must look to the myriad of commercial EDR solutions already available as a starting point, and then tailor those solutions to the unique needs of their agency. This saves time not only in development, but also in deployment and implementation, as much of the front-end work has already been done by the vendor.

Find the right fit

Each agency must adapt its zero trust strategy to its own specific needs and missions. This means tackling the granular issues as well as the big picture issues.

In a broader perspective, an agency with a fully remote workforce will have a different plan than one that has never left the office or is gradually putting operations back in person.

Granular analysis would look at how agency employees use certain tools. Validating a user and device at the start of each sign-in session may be the right solution for an agency that doesn’t run on a large number of apps.

But in many cases, this measure would not provide an adequate level of security and control for agencies that use a variety of applications and IT resources. For these types of agencies, validating access by application within a login session is the way to go.

Zero trust is the way to go, but it cannot be done without taking the right foundation steps and building. It will not be easy for federal agencies. The term “zero confidence” is often misinterpreted as implying that the workforce is not reliable, rather that this trust is an attribute that needs to be revalidated, just as identity is when employees are required to display a badge when entering the physical workplace. Some goals and concepts are more difficult to explain and are complicated in practice, but doing so from the start will make it easier to successfully implement a zero trust strategy.

A good aspect of the first step of zero trust access that can adjust application access control is zero trust network access. It basically extends the ZTA principles to check users and devices before each app session to make sure they comply with the organization’s policy to access that app.

There’s a lot more to think about, but the tips above will help agencies implement a zero trust architecture from the start. This will position the government for successful implementation at a time when failure is not an option.

Jim Richberg is the Public Sector Field Information Security Officer at Fortinet.


Leave A Reply