The White House today announced a strategy for implementing zero-trust security, a popular cybersecurity approach, across the federal government’s digital infrastructure.

Zero-trust security is a more effective approach to protecting networks from hacking attempts than the perimeter-based strategy that organizations have historically used. It’s being increasingly adopted across both the public and private sectors.

In the traditional perimeter-based approach, systems connected to a network have to meet less stringent cybersecurity requirements than systems outside the network. For example, requests made by one application to another might be automatically accepted if both workloads are running in the same data center. But if one of the applications runs in an external data center, its requests would not be accepted automatically.

The zero-trust security model specifies that all systems, both inside and outside a network, must meet the same stringent cybersecurity requirements. The strategy that the White House announced today provides a roadmap for how federal agencies should go about implementing zero-trust security.

The strategy, released by the Office of Management and Budget, includes several components. It specifies steps that federal agencies should take to better secure applications, employee devices and data traffic in their networks. The memorandum also highlights other processes that can be implemented to improve cybersecurity. 

“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” said Acting OMB Director Shalanda Young. “This zero-trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”

The strategy specifies that adopting zero-trust security will require federal agencies to implement multifactor authentication more broadly. The vision is that agency staff will use authentication devices, such as hardware security keys, to log into systems. Such devices are much more difficult for hackers to compromise than passwords. 

Another goal of the strategy is helping federal agencies better secure the devices from which staffers log into internal systems. The vision, the memorandum states, is that agencies will develop the ability to more effectively detect and respond to cybersecurity issues affecting employee devices.

The strategy also covers other types of information technology assets. To improve cybersecurity, the document states that agencies will have to isolate their IT systems from one another and ensure traffic between them is encrypted. Moreover, federal agencies would have to routinely test applications for cybersecurity issues and accept external vulnerability reports.

“Security is the cornerstone of our efforts to build exceptional digital experiences for the American public,” said Federal Chief Information Officer Clare Martorana. “Federal agency CIOs and IT leadership are leaning into this challenge, and the zero-trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”

Federal agencies are required to designate a zero-trust strategy implementation lead for their organization within 30 days. Agencies will have to submit a plan for implementing the strategy’s requirements within 60 days. 

Image: Wikipedia