The Zero-Trust Timer Is on for Federal Agencies — How Ready Are They?

  /     /     /  
Publicated : 23/11/2024   Category : security


The Zero-Trust Timer Is on for Federal Agencies — How Ready Are They?


A new study coincides with OMB’s finalization of its zero-trust strategy through 2024.



Its official. On January 26, the US Office of Management and Budget (OMB)
laid out its Federal Zero Trust Strategy
in a finalized version of the memorandum thats been making the rounds in draft form for a couple of months now. The
document
formalizes OMB expectations for zero-trust architecture at all federal agencies, with deadlines set to meet a spate cybersecurity objectives by the end of 2024.
The question is, how ready are the agencies to make good on these expectations?
According to a survey also released last week, technology and security leaders tasked with the monumental push are hopeful about their agencys ability to implement zero trust — but they believe that the OMB is pushing them to move too fast with its set of deadlines.
Understanding the OMB Zero-Trust Deadlines
The sweeping measures demanded by OMB are driven by the
cybersecurity executive order
issued by the president in May and shaped by the Zero Trust Maturity Model
publicly released
by the Cybersecurity and Infrastructure Security Agency (CISA) in September. Based on that model, OMB has grouped its objectives around five core pillars of cybersecurity, namely identity, devices, networks, applications and workloads, and data. A quick round-up of the OMB expectations for agencies by the end of 2024 are as follows:
Identity
Employ centralized identity management thats integrated into apps and common platforms
Use phishing-resistant MFA across the enterprise that’s enforced at the network layer
Require at least one device-level signal for user authorization
Devices
Create reliable asset inventories through CISAs Continuous Diagnostics and Mitigation program
Widely deploy and use endpoint detection and response (EDR) that meets CISAs technical requirements
Networks
Use encrypted DNS wherever technically supported
Enforce HTTPS for all Web and API traffic
Develop a zero-trust architecture plan in consultation with CISA that describes the agencys approach to segmentation
Applications and Workloads
Operate dedicated application security (appsec) testing programs
Engage with vetted appsec firms for third-party independent appsec evaluation
Run a public vulnerability disclosure program for Internet-accessible systems
Move toward using immutable workloads, especially for cloud-based infrastructure
Data
Automate data categorization, focusing on tagging and managing access to sensitive documents
Implement comprehensive logging and information sharing
Audit and monitor access to encrypted data stored in commercial cloud infrastructure
In order to ensure agencies are on track for meeting these deadlines, OMB has some more immediate cutoff dates that agency leaders have to meet in the next few months.
Within 30 days of the memo, all agencies are required to designate to the OMB a zero-trust strategy implementation lead for their organization. These will be the people who will be coordinating with OMB, CISA, and other government agencies in the run-up to 2024. And within 60 days of the memo, agencies have got to be ready to submit to the OMB an implementation plan and budget planning for the next two years for meeting the zero-trust strategy requirements.
Uncertainty About the Aggressive Timeline
Even with the head start given to agencies with the executive order and CISA models release last year, many within the federal space think the timeline may be overly optimistic and could even potentially do more harm than good. A
study released by MeriTalk
last week shows positive signs that agency technologists are grateful for the cybersecurity and modernization push thats driving this latest memo. Conducted among 151 federal cybersecurity decision-makers, 92% say recent initiatives have increased their confidence in their agencys ability to implement zero trust. And 73% of them say that their agency is already aggressively adopting zero-trust principles.
However, 87% believe that the OMB is pushing agencies to move too fast for zero-trust implementation. Only about one in ten say they have the support they need right now to achieve optimal zero-trust maturity.
The results shouldnt be a surprise, says Stuart Itkin, vice president of CMMC & FedRAMP Assurance at cybersecurity consulting firm Coalfire. Date-driven government initiatives havent typically fared well.
The survey showed that approximately three in four respondents reported it would be challenging to very challenging for their agency to reach optimal maturity in each of the five pillars, with the highest levels of uncertainty around device security.
Keatron Evans, principal security researcher for Infosec Institute and a consultant for KM Cyber Security, agrees that the OMBs timeline is very aggressive.
In some regards there are some unrealistic expectations. Some of the requirements may even make security worse in some areas, he says, going on to explain that most agencies are barely at the starting gate of their zero-trust journey. Earnestly, I estimate that less than 10% are ready to start. Most of them dont have the technical expertise or the appropriate budgets. I get the sense that some of the deadlines laid out failed to consider the actual quantitative costs involved.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The Zero-Trust Timer Is on for Federal Agencies — How Ready Are They?