Today we welcome cloud cybersecurity expert Chris Hughes to TestifySec in the role of Board Advisor. Chris brings over a …
On January 26 of this year, the acting director of the U.S. Office of Management and Budget (OMB) issued a memorandum to the heads of all U.S. government agencies, urging those agencies to be moving towards the principles of Zero Trust cybersecurity. The detailed memo put forth a ZTA strategy, spanning 29 pages, with a stated goal of implementation by the end of fiscal 2024. The memo explicitly calls out missions to safeguard our nation’s critical infrastructure, conduct scientific research, engage in diplomacy, and provide benefits and services for the American people.
The memo follows a presidential Executive Order (EO 14028, Improving the Nation’s Cybersecurity) calling for “initiating a sweeping Government-wide effort to ensure that baseline security practices are in place, to migrate the Federal Government to a zero trust architecture, and to realize the security benefits of cloud-based infrastructure while mitigating associated risks.” Within 30 days of receipt of this memo, government agencies must designate a ZT implementation lead; within 60 days, agencies must respond to the OMB and CISA with implementation plans and budgets through FY2024.
The Zero Trust clock is ticking!
Zero Trust Goals for the Nation
In particular, the memo lays out tangible goals aligned with the CISA Five Pillars for Zero Trust, as enumerated in the agency’s Zero Trust Security Model: Identify, Devices, Networks, Applications and Workloads, and Data.
- Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing
More concretely, the OMB envisions a shift in protecting users, devices, applications and transactions, as laid out in the DoD Zero Trust Reference Architecture, emphasizing monitoring, isolation, authentication, access control, testing, and policy.
Project Blue Collaboration
TestifySec Witness performs attestation of user, device, data, and workload during all stages of the software delivery process, while Defense Unicorn Zarf packages these attestations into a verifiable bundle ready for deployment. Together, Zarf and Witness allow easy deployment and automated verification of large software systems into air-gapped networks.
Call to Action - TestifySec is Ready
The memo speaks with the stentorian voice of the government. But the real work in implementing its directives will occur in the private sector, as tens of thousands of government contractors, technology vendors and integrators strive to interpret the implications of the initiatives laid out in the memo and to assess the opportunities therefrom.
It’s almost as if the OMB was thinking of TestifySec when their staff crafted this memo and laid out the initiatives in it. Our vision for Zero Trust is aligned with CISA’s and the capabilities of TestifySec Witness and of TestifySec services to support key aspects as the OMB mission set:
- Workload authentication
- The central roles of User and Device identities
- Imbuing the workload life-cycle with assertions of provenance and identity
- Creating a closed loop of trust for DevSecOps, from supply chain to development to deployment, and back
Importantly, TestifySec is not merely ready to respond to the OMB memo; we were founded in anticipation of it.