White House tells agencies to adopt the 'Zero Trust' security model

Agencies have 60 days to come up with an implementation plan.

Urupong via Getty Images

The White House wants the government to adopt a security model called Zero Trust within the next two years. The Office of Management and Budget (OMB) released a finalized federal strategy that lays out the initial details of the shift.

It told agencies to each designate a strategy implementation lead within 30 days. Agencies were given 60 days to submit an implementation plan to the OMB and Cybersecurity and Infrastructure Security Agency (CISA).

"This memorandum sets forth a federal Zero Trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of fiscal year (FY) 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns," OMB acting director Shalanda D. Young wrote in the memo. "Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy and weakening trust in government."

The Zero Trust approach is based on the notion that local devices and connections can't be completely trusted. Users need to be authorized, authenticated and continuously validated. Organizations usually have control over Zero Trust setups, and users and devices are often only granted access to essential data, apps and services.

Google offers a Zero Trust solution called BeyondCorp. Last week, a company called Sikur revealed a smartphone it designed using Zero Trust principles.

The release of the strategy follows an executive order President Joe Biden signed last year with the aim of improving the country's cybersecurity, as well as a draft strategy that the OMB published in September.

The finalized strategy lays out a vision for the government in which staff have "enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks." The devices would be continuously monitored and each agency's system would be isolated, with reliable encryption for internal network traffic and sending data to other agencies.

Under this approach, enterprise applications would be tested internally and externally before staff could access them over the cloud. The OMB also said federal security teams and data teams would work together "to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information."

The strategy directs agencies to harness strong, phishing-resistant multi-factor authentication, perhaps using physical methods like Personal Identity Verification cards. The OMB also told agencies to have a full inventory of devices that are authorized and used for official business and to make sure they meet CISA standards.

The White House cited the Log4j vulnerability that recently emerged as the latest proof that "adversaries will continue to find new opportunities to get their foot in the door."

"This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” national cyber director Christopher Inglis said in a statement. “We are not waiting to respond to the next cyber breach. Rather, this administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society."