The OMB Memorandum M-22-09 Federal Zero Trust Strategy focuses on application security, modern authentication, and web isolation. These technologies are essential to protect data and websites in the Federal sector. However, to effectively implement these strategies, agencies must be equipped with the right expertise and tools.
OMB Memorandum M-22-09 Federal Zero Trust Strategy
On January 26, 2022, the Office of Management and Budget (OMB) published OMB Memorandum M-22-09. The memo outlines the Federal Zero Trust Architecture strategy and requires federal agencies to meet certain cybersecurity standards by 2024. Agencies also required to upgrade their IT infrastructures and modernize their security controls. The zero-trust model refers to a system that does not rely on outside services.
The OMB Memorandum M-22-09 details the requirements for agencies to implement Zero Trust solutions and platforms. The demands are aggressive. The memo provides nearly three years for agencies to achieve Zero Trust postures, and it calls for most agencies to have a plan in place to achieve that goal by December 2024. However, the memo doesn’t specify metrics for success.
The Federal Zero Trust Architecture strategy establishes a new benchmark for access controls and requires agencies to meet cybersecurity standards by 2024. It’s based on the zero-trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA). The memo also highlights a critical MFA gap. Currently, many approaches to MFA aren’t sufficiently secure against sophisticated phishing attacks. It also highlights the need for agencies to implement phishing-resistant MFA approaches. Examples include personal identity verification (PIV) and multi-factor authentication.
Application Security
Federal agencies are already making the transition to zero trust. Invicti Federal Sales Manager, Ted Rutsch, spoke with Tony Plater, Chief Information Security Officer of the Navy, about the Navy’s experience in transitioning to zero trust and the cultural shift that take place in Federal agencies.
OMB Memo M-22-09 provides a framework for achieving zero trust security. This framework called the Zero Trust Maturity Model (ZTM). Agencies will expect to work towards securing five key pillars and three major themes. However, many federal agencies are still far from meeting the optimal maturity level.
The DoJ’s formal review highlights the importance of cross-agency collaboration and includes the private sector in knowledge sharing. It also states that there are upwards of 1.9 billion web applications in use today, many of which are used by the government. The federal government has a vital role to play in securing these systems.
Earlier this year, the White House released an Executive Order that aims to protect the public and private sectors from cyberattacks. The order specifies the steps agencies must take in order to create a zero trust national digital infrastructure. It also highlights the priorities of federal agencies and deadlines for meeting the new framework.
Using modern authentication tools is an important part of implementing a zero trust framework. However, M-22-09 does not go into detail about these tools. It does refer to the M-22-01 guidance. Using the proper multi-factor authentication tools will enable agencies to prevent malicious actors from exploiting critical data and systems.
Modern authentication
Federal IT administrators are replacing VPNs with advanced authentication and authorization solutions. These solutions designed to provide better security and simplify the user experience. They also help agencies establish a Zero Trust environment and tighten the security perimeter around sensitive applications. This is particularly important for federal agencies as they move to the cloud for more sensitive applications.
Zero trust architectures limit an attacker’s mobility across a network by requiring specific permission for each resource. This requires a specific policy defined by the agency. Using this approach, the Federal Government is focusing on five pillars of zero trust architecture: identity, device and network security, application and workload security, and data security. A centralized identity provider is essential for this strategy.
Zero trust will help agencies detect and respond to cyber threats more quickly. It will provide a comprehensive roadmap for a new change in basic assumptions in federal cybersecurity. The goal of zero trust is to protect public safety, privacy, and infrastructure. Federal employees have enterprise-managed accounts to help them protect their identities and information from targeted phishing attacks.
In addition to zero trust network access, the Federal Government has also mandated that all federal agencies implement modern authentication and access control solutions to protect sensitive data. This mandate is part of the White House’s strategy for cybersecurity, and is a key step in the government’s cloud migration strategy.
Zero trust security is a far cry from traditional network security. Traditionally, organizations built and managed their networks with a “trust but verify” approach, automatically trusting users and devices within a perimeter. However, this approach also puts organizations at risk from malicious actors stealing credentials from legitimate users. As the cloud and distributed work environments continue to grow, the old model is becoming obsolete.
Web isolation
The Office of Management and Budget published M-22-09 on January 26, 2022, outlining activities agencies must implement to comply with Executive Order 14028. The strategy emphasizes the need to secure the endpoints by delivering only safe content. Web isolation enables organizations to protect themselves from the threats of mobile devices.
The strategy is aimed at improving cybersecurity across Federal agencies. By 2024, federal agencies should have adopted a zero trust architecture, which will protect federal networks and databases from malicious actors. The memorandum also sets out specific cybersecurity standards and deadlines for implementation. This is a major step toward improving the cybersecurity posture of the federal government.
Zero trust security is a strategic priority for the federal government. The Office of Management and Budget issued M-22-09, which outlines the federal government’s goals for zero trust adoption. The goal is to protect government networks and IT infrastructures from malicious actors and other threats. However, zero trust does not mean that government applications are open to the internet.
The federal government is moving toward zero trust architectures and the use of endpoint detection and response to prevent cyberattacks. The Biden administration also issued Executive Order 14028, which directed federal agencies to develop a Zero Trust Architecture plan within 60 days. The memo, M-22-09, provides detailed information on how agencies will implement Zero Trust Architecture.
To support these Zero Trust initiatives, agencies are working to enhance their existing security programs and coordinate their deployment. For example, the Federal Government’s Protective DNS program will leverage by agencies. Additionally, existing large-scale CISA programs will enhance to support Federal cloud architectures and digital asset inventory management.
HEAT attacks
The White House recently released three draft guidance documents on Zero Trust security architecture. The documents are meant to provide roadmaps and resources to implement Zero Trust security solutions and address specific challenges that organizations face. In this session, subject matter experts will discuss the importance of Zero Trust Security and the challenges that organizations face when implementing the new security model.
The Executive Order on Improving the Nation’s Cybersecurity directed federal agencies to begin moving toward zero-trust architecture by mid-July 2021. The OMB required to publish security strategy guidance 90 days prior to that date. Unfortunately, that date has passed and the federal agencies are still struggling to meet the deadline.
Implementing an endpoint detection and response (EDR) tool is an essential part of implementing a zero-trust framework. Although the M-22-09 does not go into detail on the specifics of EDR tools, it does emphasize the importance of implementing this technology.
While Zero-Trust architecture may not be easy to implement, it can provide a powerful security platform. The goal of implementing this technology is to make federal agencies’ IT environments more secure and scalable, enabling frictionless and secure interactions between users. The Zero Trust framework requires a flexible and agile security framework that can adapt to rapidly changing environments and user behavior.
