A federal strategy released on Wednesday wants the US government to adopt a “zero trust” security model within the next two years to defend against current threats and improve cybersecurity defenses across federal agencies.
This strategy was released by the White House’s Office of Management and Budget (OMB), which oversees the implementation of the President’s vision across the US Executive Branch.
The announcement follows the release of an initial strategy draft in September that was prompted by the President’s Executive Order (EO) 14028.
This executive order initiated a government-wide effort to move toward zero trust and modernize the nation’s defenses against cyberattacks.
“This memorandum sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns,” said OMB’s Acting DirectorShalanda D. Young in a press release.
“Those campaigns target Federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in Government.”
Key features of this new zero trust strategy include improved phishing defense through strong multi-factor authentication, consolidation of agency identity systems, encrypting traffic and treating internal networks as untrusted, and strengthening application security to better protect data.
Zero Trust Security Model
The US government’s shift to zero trust security principles comes after cybersecurity companies have pushed the zero trust network model over the past few years.
This push reached its climax with the NSA and Microsoft recommending a zero trust security approach last February for large enterprises and crucial networks, including National Security Systems, the Department of Defense, and Defense Industrial Base.
Zero trust is a security approach where local devices and connections are never trusted and verification is needed at every step because defenders already assume that hackers have access to the network.
Forrester Research’s John Kindervag first created the security model in 2010. Google also implemented some of its concepts in 2009 in an internal project, now called BeyondCorp, after some of its intellectual property was stolen during the Operation Aurora cyber attack.
“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” Young said. “This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”