Cybersecurity: White House rolls out zero trust strategy for federal agencies

Federal agencies have until the end of the fiscal year 2024 to "achieve specific zero trust security goals."
Written by Jonathan Greig, Contributor

The Biden Administration released a new cybersecurity strategy for federal agencies that will move the government toward a "zero trust" security model. 

The nearly 30-page plan lays out dozens of measures federal agencies need to take in the next two years to secure systems and limit the risk of security incidents. The government is still recovering from the SolarWinds scandal, which saw Russian hackers spend months inside government systems at multiple US agencies. 

See also: DHS: Americans should be prepared for potential Russian cyberattacks

Government agencies have until the end of fiscal year 2024 to put in place many of the measures described in the plan, which include more stringent network segmentation, multi-factor authentication, and widespread encryption. Departments are given 60 days or 120 days to appoint leads, who will implement the measures and classify certain information based on sensitivity. 

White House

The White House said the growing threat of sophisticated cyberattacks "underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data."

"The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm that will help protect our nation. These goals are directly aligned with and support existing zero trust models," the White House explained. 

The move is part of a larger effort to secure the country's systems that began last year with an executive order

In September, the White House released a first draft of the strategy. The final draft includes insights from cybersecurity experts, companies, and non-profits. 

The White House noted that the recent Log4j vulnerability is "the latest evidence that adversaries will continue to find new opportunities to get their foot in the door."

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said zero trust is a crucial element to modernize and strengthen the government's defenses.

"As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity," Easterly said. "CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity."

See also: CISA adds 13 exploited vulnerabilities to list, 9 with February 1 remediation date

A number of organizations came out in support of the move, noting that the federal government has needed to update its security posture and do more to lock down certain systems. 

Phil Venables, CISO at Google Cloud, said Google has long advocated for the adoption of modern security approaches -- like zero trust -- and would support the federal government "as it embarks upon its zero trust journey."

Tim Erlin, VP of strategy at Tripwire, called the memorandum a substantial step forward for cybersecurity across the US government. He noted, however, that it's "unfortunate" that the strategy doesn't provide a clearer role for one of the key tenets for zero trust: integrity monitoring. 

"Documents from both CISA and NIST include integrity monitoring as a key component of zero trust, but the OMB memorandum doesn't include similar treatment. This memorandum includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology," Erlin said. 

"EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response. The cybersecurity technology landscape moves quickly, and there's a real risk that agencies will find themselves required to implement and run a superseded capability."

Editorial standards