Draft plan of federally mandated cybersecurity measures released for comments; due Sept. 21
Since the beginning of the year, the federal government has put forward a number of advisories and orders intended to tighten the nation’s cyber defenses. Most recently this week, the Office of Management and Budget released a draft of its Federal Zero Trust Strategy that supports President Joe Biden’s executive order “Improving the Nation’s Cyber Security,” which he issued in May.
Comments can be submitted through Sept. 21.
“The United States government faces increasingly sophisticated and persistent cyber threat campaigns that target its technology infrastructure, threatening public safety and privacy, damaging the American economy and weakening trust in government,” the draft memo reads.
At its core, the initiative is intended to raise the minimum level of security practices across the board. Following up May’s executive order, which mandated that federal agencies and civilian companies that do business with the government must move toward uniform a zero-trust cybersecurity architecture, the Office of Management and Budget’s strategy outlines next steps.
Traditionally, the federal government has used perimeter-based defenses—authorized users are able to freely access digital spaces once they’re through security. Zero-trust cybersecurity architectures are radically different, in that no user is trusted with any kind of access. Rather, everyone must continuously confirm their identity.
“The foundational tenant of the Zero Trust Model is that no actor, system, network or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access,” according to the Department of Defense’s Zero Trust Reference Architecture brief. “It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks and data, from verify once at the perimeter to continual verification of each user, device, application and transaction.”
Outlined in the plan are a number of proposed baseline zero-trust security measures like universal activity logging, single sign-on and multi-factor authentication, reliable asset inventories and ubiquitous use of encryption—a process of encryption that gives only the sender and recipient decryption key.
“While the concepts behind zero trust architectures are not new, the implications of shifting away from ’trusted networks’ are new to most enterprises, including many federal agencies,” the draft notes. “This will be a journey for the federal government, and there will be learning and adjustments along the way as agencies and policies adapt to new practices and technologies.”
The memorandum would require that federal agencies achieve specific zero trust security goals by the end of 2024. Among those requirements are the implementation of phishing-resistant multi-factor authentication systems, an inventory of every device that’s owned by the agency, encryption of all domain name system (DNS) requests and HTTP traffic, rigorous and routine testing of applications and cloud security measures, among others.
While sweeping, the draft emphasizes that it’s a necessary step—and not just for the federal government.
Cyber breaches are becoming more and more common. On Thursday, for example, Dorchester County, South Carolina announced that a phishing attack earlier in the year compromised sensitive information of its residents.
“The phishing incident resulted in unauthorized access to certain information collected and maintained by the County for a variety of reasons, including names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, credit card and debit card numbers, usernames and passwords, and medical information,” says the statement, which was issued by the Dorchester County Government.
For local governments looking to update their own cybersecurity standards to a zero trust model, more information published by the National Cybersecurity Center of Excellence can be found on the agency’s website. Public comments about the Office of Management and Budget’s Federal Zero Trust Strategy draft memo can be sent to [email protected].
Gloss