How Federal Agencies Can Meet New Zero Trust Mandates

The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) recently released a new guidance that offers federal agencies with a roadmap and resources required to sustain a multi-year push towards Zero Trust.

In what Federal Computer Week calls “hitting the gas on Zero Trust,” this new guidance aims to accelerate agencies towards a shared baseline of early Zero Trust maturity, and also offers an OMB and CISA joint-website that highlights implementation guidance for this cybersecurity architecture.

The Zero-Trust-related deliverables that agencies need to meet by the end of fiscal year 2024 include setting up enterprise-wide identity management, adopting multi-factor authentication, as well as the establishment of comprehensive device inventories and encrypting data on agency networks.

In addition, recently appointed CISA Director Jen Easterly offered commentary in the White House press release about these new mandates, and discussed how CISA will play a critical role in this effort.

“The Zero Trust Maturity Model is one of the many ways CISA is helping federal agencies protect their systems, and we are excited to release this model to gain further insights from the public,” said Easterly in the press release.  “Through our strong partnerships and ongoing collaborative efforts, CISA will develop new and innovative ways to secure constantly changing network perimeters to enable critical federal IT modernization.”

Earlier this year, Makpar published a comprehensive white paper that highlighted how the SolarWinds breach pointed to the need for going back to cybersecurity basics.

One chapter of the white paper titled, “The Foundation for Zero Trust,” discusses how a strong and robust Continuous Diagnostics and Mitigation (CDM) program will help to provide a proactive approach to improving an agency’s cybersecurity posture.

In particular, this chapter discusses how CDM Phase 2, and eventually CDM Phase 3, will serve as a foundation to achieve “Zero Trust” verification for all applications and processes connected to agency systems before granting users access. In order to get to Zero Trust, agencies need to first understand what is happening on their networks through their CDM efforts.

With regards to the case of SolarWinds breach, attackers inserted malicious code next to trusted code within the SolarWinds Orion Platform DLL. From there, they were then able to gain access to any organization that downloaded that code.

Ultimately, employing Zero Trust would have impeded lateral movement by the hackers across the network, such as what happened at the Department of Justice where the SolarWinds hackers were able to escalate their privileges to gain access into the email servers.

Makpar applauds the Biden administration efforts to help advance widespread adoption of Zero Trust throughout government, and it reinforces the value that industry can play in helping federal agencies develop stronger cybersecurity postures.

Be sure to listen to our podcast with Mustafa Lutfi, an InfoSec Consultant at Makpar, who provides commentary around this white paper.

In addition, Makpar’s highly skilled and certified cybersecurity experts understand the technology and methodologies required to preserve the Confidentiality, Integrity, and Availability of information in all computing environments. Please click here to learn more.