OMB Zero Trust Implementation Strategy

Last week’s OMB launch of its strategy to move the Federal Government towards a zero-trust framework is another sign that the Biden Administration is committed to taking cybersecurity seriously. While it will take years to get Government Agencies to fully embrace the concept of “continual authentication and verification” of every user, application, and system process that makes up these organizational networks, it is a good start to move the entire Federal system towards more effective cyber practices.

There is much to dig through in this lengthy document to get a more fulsome sense of the things needed to get done by Federal Agencies to embrace zero-trust. First and foremost is the recognition that zero trust is not a solution but mostly a frame of mind that must occur to recognize that cyber intrusion is something that will happen and not something that could happen. There have been a host of incidents targeting supply chains, open source software, and cloud-based applications throughout 2021 to highlight this reality.

In a nutshell, the OMB strategy lays out five basic developmental efforts that Federal Agencies should strive to accomplish by 2024. They are, in a nutshell:

  1. The creation of Enterprise-Managed Digital Identities with Phishing-Resistant multi-factor authentication (MFA).
  2. Identification of all devices that are being used to interact with the network and having a system that can continuously monitor, assess, and protect these devices.
  3. Improved network security that incorporates encryption on all interactions and data transmissions coming in, leaving, and moving about the network and network segmentation of all applications.
  4. Continual testing of applications and workloads with newly required third party testing, continual sharing of public vulnerability data, new vulnerability disclosure requirements, and an effort to automate most system and application updates across the enterprise.
  5. A push to consistent cataloguing and categorization of data to better leverage automated monitoring, tighter access controls around sensitive data, and timely access to logs following discovered incidents.

While most of these basic efforts are explained fully in the document, there a couple of interesting requirements that will be harder to adjust to, complicated to enact, and in some cases even contradictory to meeting other requirements within the five areas. In other cases, some important requirements are still forthcoming and will have to wait for further guidance by OMB to be fully met.

In the first area (Digital Identity), perhaps the most difficult part of this effort will be launching phishing-resistant MFA. Phishing MFA is different from much of the MFA techniques that users have grown accustomed to during the Covid pandemic as it requires them to access a text message or email for a delivered text code following their normal userid/password log in process. The new requirement will likely require some form of hardware token that will be used both to initially register a user’s access then used again to authenticate it every time a user logs on to the system. The document highlights that this likely will come in the form of Personal Identification Verification (PIV) smart card devices. Most of these devices will require programming and management to be fully integrated with the newly minted digital identity systems. Of course, these smart card devices could be lost or stolen requiring a whole new process to manage to properly ensure compliance.

Another interesting requirement is found in area three (Improved Network Security), where OMB is mandating that all Domain Name System (DNS) traffic be encrypted. DNS, as most know now, is the Internet’s or an Intranet’s phone directory service. Every time a user reaches out to inquire about a page on the Internet, meta data is created and sent to a DNS server to locate and send back access to that page. In the past, much of this meta data was sent in the clear, but increasingly could become victim to an adversary who wanted to intercept it to discover potential targeting information about users. OMB is now mandating that this data be encrypted so that prying eyes will not be able to use it for bad intent. While laudable and certainly doable using technology available today, this requirement could complement other mandates in the document such as the need for automated systems to constantly monitor the same data for bad actors leveraging the system. In addition, this could complicate efforts to assess if an insider is doing something unwarranted and will likely require new ways to search at both ends of the query process to accomplish the same monitoring goals.

Other OMB mandates will have to wait until Government experts have evaluated standards and technologies to offer viable and secure solutions for Federal Agencies. The biggest one here is the selection of an electronic mail standard that will allow e-mail traffic to be fully and automatically encrypted and that will not cause other problems when it is activated. This is huge given that email continues to serve as the biggest entry for bad actors to trick users into providing them access to their networks, as well as being used by hackers inside networks to phish their way to greater network access and control.

Largely missing from the document is direction on how Federal Agencies will be able to fully accomplish these requirements by 2024 namely in the form of financial and personnel resources. Many Federal Agencies currently have neither the resources nor the talent to make the transition; talent that includes more than just traditional SOC expertise to include data scientists, network engineers, and software security experts. Senior Biden Cyber leaders have encouraged those Agencies that are further along to assist other Agencies in their efforts and new programs working with private sector companies are being put into place to ingest talent where it is needed, but it likely will not be enough. Certainly, automation will help, but to get there much effort will be needed to apply the knowledge of the network into smart programs to ensure that only which is known can operate.

Overall, the strategy is a great start, but one that will require a good deal of further organization, focus, resources, and patience to see it through. 2024 is a noble and understandable goal, but it will likely take continued commitment by future administrations to see this effort successfully implemented.