It told agencies to each designate a strategy implementation lead within 30 days. Agencies were given 60 days to submit an implementation plan to the OMB and Cybersecurity and Infrastructure Security Agency (CISA).
“This memorandum sets forth a federal Zero Trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of fiscal year (FY) 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns.” OMB acting director Shalanda D. Young wrote in the memo. “Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy and weakening trust in government.”
The Zero Trust approach is based on the notion that local devices and connections cannot be completely trusted. Users need to be authorized, authenticated and continuously validated. Organizations usually have control over Zero Trust setups, and users and devices are often only granted access to essential data, apps and services.
The finalized strategy lays out a vision for the government in which staff have “enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.” The devices would be continuously monitored and each agency’s system would be isolated, with reliable encryption for internal network traffic and sending data to other agencies.
Under this approach, enterprise applications would be tested internally and externally before staff could access them over the cloud. The OMB also said federal security teams and data teams would work together “to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.”
The strategy directs agencies to harness strong, phishing-resistant multi-factor authentication, perhaps using physical methods like . The OMB also told agencies to have a full inventory of devices that are authorized and used for official business and to make sure they meet CISA standards.
“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said Christopher Inglis, national cyber director. . “We are not waiting to respond to the next cyber breach. Rather, this administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society. “
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.