Published on April 6th, 2022 📆 | 2643 Views ⚑
0White House reviewing agency zero trust cybersecurity plans
The White House has set a goal to modernize federal cyber defenses over the next several years using a âzero trustâ approach, and agencies just delivered their initial plans to the Office of Management and Budget.
The plans describe how each agency proposes to adopt various zero trust approaches and capabilities by the end of fiscal year 2024, a goal set out by the White Houseâs zero trust strategy released in January. The memo required agencies to submit the implementation plans by March 27.
Chris DeRusha, the federal chief information security officer at OMB, said the plans will give his team a good idea of where each agency stands.
âWhile these are the initial cut from the agencies, weâve been clear that weâre going to want to have some back and forth with them to make sure that they really do align to the budget, that they aligned to our strategy, and that they align to a strategy that OMB sort of agrees the agency should be taking,â DeRusha told reporters after speaking at an April 6 conference hosted by the Institute for Critical Infrastructure Technology in Arlington, Virginia. âWeâre doing that in collaborationâ
The OMB memo sets some specific deadlines beyond the FY 24 goal. For instance, within a year, agencies are required to support phishing-resistant multifactor authentication for all of their public-facing services.
But for the most part, agencies were able to tell OMB when they plan on reaching zero trust milestones as part of their implementation plans. For instance, the plans should describe how and when the agency âplans to isolate its applications and environments,â according to the strategy memo.
DeRusha said each agencyâs journey will be different, especially given the vast differences in agency size and resources.
âI donât think that you can have a one size fits all approach,â he said. âAs weâre getting the small- and medium-sized agency plans in, weâre going to look at them a little bit differently than we would a huge, 250,000-person agency.â
The White House is requesting $10.9 billion in cybersecurity-related funding for federal civilian agencies in FY-23, an 11% increase above last yearâs request. Some of that is expected to go toward implementing zero trust architectures.
While agencies had largely finalized their budget requests by the time the final zero trust strategy was released in January, DeRusha said OMB worked with agencies to ensure their budgets included funding for zero trust capabilities.
âIâm feeling pretty good about what weâre able to do in â23 to fund from the strategy and make it successful,â he said.
Some agencies included more detailed zero trust plans in their FY 23 budget requests than others.
For instance, the Commerce Department is requesting $50 million in FY 23 specifically for a zero trust program. According to budget documents, the funding is pegged for endpoint detection and response capabilities, more centralized log management, and endpoint encryption.
Meanwhile, the Treasury Department is asking for about $86 million in FY 23 specifically for zero trust architecture implementation. Treasuryâs near-term actions include âchanges to password policies, building a new data categorization model, and making one âinternalâ systems accessible over the Internet,â according to budget justification documents.
Federal cybersecurity roles
Meanwhile, Congress is looking to update federal cybersecurity standards for the first time since the Federal Information Security Modernization Act since 2014. Lawmakers say the law needs to reflect changes in cyber threats, new concepts like zero trust, and the creation of the Cybersecurity and Infrastructure Security Agency in 2018.
In particular, the legislative effort seeks to put CISA in charge of overseeing more aspects of agency cybersecurity efforts, a role traditionally filled by OMB and the federal CISO.
DeRusha said thereâs a role in the âecosystemâ for his office, CISA, and the new White House national cyber director. But as the House and Senate negotiate a final FISMA reform bill, DeRusha said the law needs to be clear about federal roles and responsibilities.
âI think one thing we donât want to see is a change that ends up making it harder for everybody to sort of complete their mission and potentially more confusing for agencies to work with,â DeRusha said. âWe donât want those outcomes. So while we need to acknowledge everyoneâs authorities and roles, and I think weâre making good progress in that space, we are mindful of that concern.â
Gloss