The US Government has released its zero trust strategy to help government agencies implement zero trust architectures. It requires federal agencies to meet certain standards before the end of the 2024 fiscal year.
The zero trust strategy aims to improve the nation’s security posture and reduce the potential harms from cyber attacks. It assumes that attackers cannot be kept outside of network perimeters and sensitive data should be protected at all times.
The move toward zero trust architecture is a significant undertaking for the federal government, and this strategy aims to outline a common path for agencies to take, as well as limit uncertainty about transitioning.
It will require agency heads to partner with IT leadership in a joint commitment to overhaul the current security architecture and move toward a zero trust model. The strategy encourages agencies to assist each other as they work to implement zero trust architecture, exchanging information and even staff where necessary. Ultimately, the zero trust strategy aims to make the federal agencies stronger and more resilient against cyber attacks.
What Does The Zero Trust Architecture Strategy Include?
The Cybersecurity and Infrastructure Security Agency (CISA) created a zero trust maturity model to guide the strategy. The model contains five pillars including:
- Applications and Workloads
There are also three themes that cut through each of these areas:
- Visibility and Analytics
- Automation and Orchestration
First, the strategy includes a number of identity-related goals. Federal agencies must establish centralized identity-management systems for their employees. These systems must integrate with common platforms and applications.
Another core goal is for agencies to use strong multi-factor authentication throughout the organization. However, it must be enforced at the application layer rather than at the network layer. Password policies no longer require the use of special characters or frequent password changes.
The new strategy will also require that user authorization also incorporates at least one device-level signal. This could include confirming the device is authorized to access the application and has up-to-date security patches.
Under the Devices pillar, federal agencies must participate in CISA’s Continuous Diagnostics and Mitigation (CDM) program. This allows them to create reliable asset inventories. The other major goal is for each agency’s Endpoint Detection and Response (EDR) tools to be deployed widely and to meet CISA’s technical requirements.
Among the network-related measures, agencies need to use encrypted DNS to resolve DNS queries wherever it is technically supported. They must also force HTTPS for all web and API traffic. On top of this, agencies also need to submit a zero trust architecture plan that includes their approach to environmental isolation to the Office of Management and Budget.
Applications and Workloads
In addition, there are a number of application and workload-related goals for agencies, including:
- Operating dedicated application security testing programs.
- Undergoing third-party application security evaluations.
- Running a public vulnerability disclosure program.
- Working toward deploying services that employ immutable workloads.
When it comes to data, agencies must follow a zero trust data security guide created by a joint committee made up of Federal Chief Data Officers and Chief Information Security Officers. Agencies must also automate data categorization and security responses, with a focus on tagging and managing access to sensitive documents. They must also audit any access to encrypted data in commercial cloud services. Another goal is for agencies to work alongside CISA to implement logging and information sharing capabilities.
Zero Trust Architecture and the Future
The federal government isn’t just pushing toward a zero trust architecture model as a fun new hobby. Instead, it is a response to the increasing sophistication of cyber attacks, especially those originating from nation-state level groups.
These complex and well-resourced cyber attacks aren’t only a threat to government agencies. Other organizations face similar threats in the ever-changing threat landscape. The reality is that businesses also need to move toward the zero trust model in order to effectively defend themselves in the future.
LuxSci can help your organization make the change through services such as our zero trust email options, or our zero trust dedicated servers. Contact our team to find out how LuxSci can help your organization prepare for a zero trust future.