Security architecture
OMB Publishes Draft Zero Trust Strategy for Civilian Agencies
The Office of Management and Budget has released a draft federal strategy on the government’s effort to transition to zero trust.
The National Institute of Standards and Technology defines zero trust as a security architecture that does not automatically trust a user based solely on its physical or network location or asset ownership.
Zero trust is a key element of President Joe Biden’s May 12 executive order, which is aimed at modernizing the federal government’s cybersecurity and improving threat-sharing with the private sector.
OMB’s draft strategy directs federal civilian agencies to prioritize several key security outcomes and set baseline policy and technical requirements, the White House said Monday.
Agencies were tasked to consolidate their identity systems, implement multi-factor authentication to mitigate phishing attacks, treat internal networks as untrusted by default and move protections closer to data, among other measures.
Biden said the shift to zero trust is a “multi-year journey” and the government will adjust its cybersecurity strategies along the way as needed.
“The federal government’s approach to cybersecurity must rapidly evolve to keep pace with our adversaries, and moving toward zero trust principles is the road we need to travel to get there,” said Federal Chief Information Security Officer Chris DeRusha.
The Cybersecurity and Infrastructure Security Agency released a complementary zero trust maturity model to guide agencies in their development of the security architecture.
CISA also published a cloud security technical reference architecture that was developed in collaboration with the U.S. Digital Service and the Federal Risk and Authorization Management Program.
Category: Federal Civilian