White House Releases Zero Trust Strategy for Federal Government

The White House has unveiled its strategy to embed a zero trust approach to cybersecurity across the federal government.

The memorandum, published by the Office of Management and Budget (OMB), sets out a series of specific security goals for agencies to establish a ‘never trusted, always verified’ model. This includes introducing stronger enterprise identity and access controls, such as multi-factor authentication (MFA). It also wants federal agencies to have a complete inventory of every device it operates and authorizes for government use and encrypt all DNS requests and HTTP traffic within their environment.

The strategy represents a key component of delivering President Joe Biden’s Executive Order last year, which mandated a drive to secure cloud services and zero trust across federal government departments and their suppliers.

Federal agencies must incorporate the additional requirements identified in the new memorandum into their plans to develop zero trust architecture within 60 days. In addition, they need to designate and identify a zero trust strategy implementation lead for their organization.

The latest requirements were developed in response to increasingly sophisticated cyber-attacks, including the Log4j vulnerability. The OMB said such incidents have demonstrated that the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data.

Federal chief information officer Clare Martorana commented: “Security is the cornerstone of our efforts to build exceptional digital experiences for the American public.

“Federal agency CIOs and IT leadership are leaning into this challenge, and the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”

Responding to the memorandum, Vats Srivatsan COO of ColorTokens, pondered whether the UK will take a similar approach to mandating zero trust principles across the government. "This week the United States took a proactive step towards safeguarding the nation with resilient security. Government-wide zero trust mission completion will be a journey, and the path has been laid out in a set of goals and implementation efforts outlined in the OMB's strategy. This undoubtedly sets a precedent for other countries and is a well laid-out model of implementation that the UK can and should borrow from.

“Zero trust is widely recognized as a highly effective, long-term approach to breach resilience; however, zero trust architecture can't be achieved overnight. The sooner any institution embarks on a zero trust journey to modernize its cyber-defenses, the sooner zero trust maturity and breach resilience can be achieved. Boris Johnson is known to keep his eye on modern technology, so it is a surprise that the UK appears to be kicking the zero trust can down the road. That being said, the UK frequently follows suit on US policy, oftentimes with some initial hesitation. If the UK plans to stay ahead of the threat environment, it will certainly want to follow the US's lead."

Earlier this week, the UK government announced a new cybersecurity strategy designed to protect essential public sector services from being shut down by hostile actors.

What’s Hot on Infosecurity Magazine?