Cybersecurity made it a busy year for the federal sector. The White House determined to undertake action this summer with a wide executive order that seeks substantial modifications to bolster America’s cybersecurity posture in response to several high-profile cyberattacks targeting critical infrastructure and federal institutions.

Federal organizations, such as the Office of Management and Budget (OMB), are now taking the lead with a new reform plan centered on zero trust security. Zero trust is more than just a catchphrase or a set of novel practices; rather, it denotes a fundamental change that will impact all federal agencies and contractors. These reforms will enable DoD contractors to apply for CMMC government contracting bids.

After Cybersecurity Awareness Month, we consider these advances in light of a fast-evolving threat environment and consider how zero trust security will help to fortify federal infrastructure against highly skilled cyber criminals.

The Zero Trust Model

A draught that was made available for public comment by the OMB on September 7th outlines the principles that would drive the federal deployment of zero trust security. At a high level, the zero trust ideology treats every person, device, and application as though it could pose a danger, shifting the emphasis of cybersecurity from an institution’s periphery to its internal networks.

Organizations frequently harden the networks that are visible to the public nowadays to protect them from outside threats. Cyber actors concentrate on getting past these obstacles and advance laterally from their initial point of entry to targets with higher value. There is a good probability of triumph as long as they can get their head in the door, even though they will encounter varying degrees of opposition along the way.

Getting past the door won’t be sufficient under a zero trust model since users would need to be continuously authenticated with multi-factor verification as they move across devices and programs. Rights and protections will only be granted when necessary, and checks will be conducted continuously. The best part is that it also effectively counters threats from the inside.

The Zero-Trust Maturity Model

The Zero-Trust Maturity Model (ZTMM), which describes the “optimal” zero trust landscape that public sector institutions will be required to adhere to over the coming years, and a draught technical benchmark architecture were both released by the Cybersecurity and Infrastructure Security Agency (CISA) on the same day that the Office of Management and Budget (OMB) released its memo.

The OMB letter lists five security objectives agencies must accomplish by September 2024. The ZTMM draught is consistent with these objectives:

Identity: Employees must be given an agency-wide identification with phishing-resistant multi-factor verification to access work applications.

Devices: DFARS VS CMMC Agencies are required to keep a complete inventory of all devices they permit to be used on government networks and the capability to identify and address any cyber events coming from those devices.

Networks: Agencies are required to segregate networks based on applications and encrypt all DNS and HTTP traffic within their environment. If the government finds a reliable way to accomplish it, they are required to encrypt emails as they are being sent.

Apps: All applications must be regarded as Internet-connected and go through “rigorous testing” regularly with the aid of external vulnerability reports.

To implement protections using data classification, data agencies should collaborate. Cloud security services are advised to enable enterprise-wide logging/information sharing and monitor sensitive data access.

The OMB has urged organizations with robust cybersecurity programs to assist others in a weaker position, recognizing the scope of reform necessary to achieve these goals. Additionally, it believes that CISA will provide zero trust maturity assessments in the future, assisting organizations in identifying and filling any gaps.

The Benefits of Zero Trust

Zero trust architecture is ultimately just one of several projects resulting from May’s executive order. However, even while it won’t instantly make businesses immune to cyberattacks, it will result in considerable change in several ways:

Attacking will become much more difficult for both criminal insiders and foreign cyber actors thanks to ongoing user identity verification, tracking, and network app segregation.

Government entities will have much more command over their network, immediate analytics, and the capacity to react rapidly in an emergency if they have accurate and complete device catalogs.

Implementing zero trust models will ultimately force agencies to dismantle internal information silos and coordinate information sharing, which will hasten the modernization of federal IT.