OMB has issued guidance on the Biden administration’s initiative to move the federal government toward a “zero trust” approach to cybersecurity, finalizing policies that had been put out for comment last fall.
“By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the federal government to a new cybersecurity paradigm that will help protect our nation. These goals are directly aligned with and support existing zero trust models,” OMB said in an announcement.
OMB memo M-22-09 said the foundation of the approach is that “no actor, system, network, or service operating outside or within the security perimeter is trusted.” That is to include giving federal employees “enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks”; and requiring that the devices they use “are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.”
Further, federal security teams and data teams are to “work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.”
Other key tenets include that agency systems are to be “isolated from each other, and the network traffic flowing between and within them is reliably encrypted”; and that “enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.”
Meanwhile, bipartisan leaders of the House Oversight and Reform Committee have introduced a bill (HR-6497) to update the Federal Information Security Management Act to emphasize “next generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing, and vulnerability disclosure programs,” in the words of a summary.
Other areas of emphasis in the bill include stressing continuous risk assessment; requiring agencies to keep inventories of all internet-accessible information systems and assets; beefing up incident reporting requirements; and promoting inter-agency cooperation.