1/31/2022

The OMB Tells America - The Zero Trust Clock is Ticking

Author: Cole Kennedy

Zero Trust Clock is Ticking

On January 26 of this year, the acting director of the U.S. Office of Management and Budget (OMB) issued a memorandum to the heads of all U.S. government agencies, urging those agencies to be moving towards the principles of Zero Trust cybersecurity. The detailed memo put forth a ZTA strategy, spanning 29 pages, with a stated goal of implementation by the end of fiscal 2024. The memo explicitly calls out missions to safeguard our nation’s critical infrastructure, conduct scientific research, engage in diplomacy, and provide benefits and services for the American people.

The memo follows a presidential Executive Order (EO 14028, Improving the Nation’s Cybersecurity) calling for “initiating a sweeping Government-wide effort to ensure that baseline security practices are in place, to migrate the Federal Government to a zero trust architecture, and to realize the security benefits of cloud-based infrastructure while mitigating associated risks.” Within 30 days of receipt of this memo, government agencies must designate a ZT implementation lead; within 60 days, agencies must respond to the OMB and CISA with implementation plans and budgets through FY2024.

The Zero Trust clock is ticking!

TestifySec founded on it

Zero Trust Goals for the Nation

In particular, the memo lays out tangible goals aligned with the CISA Five Pillars for Zero Trust, as enumerated in the agency’s Zero Trust Security Model: Identify, Devices, Networks, Applications and Workloads, and Data.

  1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
  2. Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
  3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
  4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
  5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing
CISA Zero Trust Pillars

More concretely, the OMB envisions a shift in protecting users, devices, applications and transactions, as laid out in the DoD Zero Trust Reference Architecture, emphasizing monitoring, isolation, authentication, access control, testing, and policy.

Project Blue Collaboration

TestifySec is currently working with Defense Unicorns to apply these tenets of Zero Trust in support of the US Navy Project Blue and other DoD Software Factories.

TestifySec Witness performs attestation of user, device, data, and workload during all stages of the software delivery process, while Defense Unicorn Zarf packages these attestations into a verifiable bundle ready for deployment. Together, Zarf and Witness allow easy deployment and automated verification of large software systems into air-gapped networks.

Call to Action - TestifySec is Ready

The memo speaks with the stentorian voice of the government. But the real work in implementing its directives will occur in the private sector, as tens of thousands of government contractors, technology vendors and integrators strive to interpret the implications of the initiatives laid out in the memo and to assess the opportunities therefrom.

It’s almost as if the OMB was thinking of TestifySec when their staff crafted this memo and laid out the initiatives in it. Our vision for Zero Trust is aligned with CISA’s and the capabilities of TestifySec Witness and of TestifySec services to support key aspects as the OMB mission set:

  • Workload authentication
  • The central roles of User and Device identities
  • Imbuing the workload life-cycle with assertions of provenance and identity
  • Creating a closed loop of trust for DevSecOps, from supply chain to development to deployment, and back

Importantly, TestifySec is not merely ready to respond to the OMB memo; we were founded in anticipation of it.