The implementation of the Office of Management and Budget’s zero trust strategy needs to involve a range of measures to help agencies stay on top of implementation, as well as additional funding from Congress, according to industry stakeholders.
“OMB went further than I expected in their overall embrace of zero trust and it’s great to see the emphasis on action over strategy. As the memo acknowledges, the move away from a hardened perimeter and ‘trusted networks’ may be a difficult concept for government agencies to embrace, but it is absolutely essential if the government is to achieve true zero trust security. The strategy will allow for significant modernization of our cyber defenses,” Michael Hettinger of Hettinger Strategy Group said.
Hettinger said, “As we move quickly from strategy to action -- the memo gives agencies 30 days to appoint a zero trust lead and 60 days to come up with an implementation plan -- OMB and CISA must hold agencies feet to the fire on implementation. The stakes are too high for this to be slow rolled.”
OMB released a memorandum on Wednesday outlining the government’s strategy to move agencies to zero trust. The strategy is a deliverable from a 2021 cyber executive order to secure federal networks. OMB put out a draft strategy for public comment in September.
Kent Landfield, chief standards and technology policy strategist at Trellix, said the memo is “well written and thoughtful strategy that should have a positive effect on federal digital security if agencies can follow through.”
“McAfee Enterprise (now Trellix) submitted comments to the draft, and we are pleased to see how they were incorporated into the strategy. The entire process of collaboration with industry on this strategy has been positive and we believe the overall strategy is better for it. M-22-09 requires ‘agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.’ It is critical OMB and CISA work closely with agencies to assure they receive the support and funding needed to make this paradigm shift a successful reality,” Landfield said.
Norma Krayem of Van Scoyoc Associates, called the memo a “critical statement by OMB giving clear direction to Executive Branch Departments and Agencies, while making clear the scope of the challenge the U.S. Government has.”
Krayem commented, “OMB also clearly underscores that CISA is the lead agency to define the cybersecurity needs for these agencies, citing to CISA’s five main tenets on Zero Trust Architecture and requires all the FECB to submit a plan to OMB and CISA for FY 22-24 for OMB concurrence. But the question remains to be seen how will this policy be enforced? What ramifications exist for agencies who do not comply? How will this mandate flow down to government contractors? How much time will contractors have to implement change?”
Ross Nodurft, executive director of the Alliance for Digital Innovation, said, “The plans that agencies are developing represent the beginning of the process -- what agencies produce at the end of 60 days will continue to evolve as they modernize and rearchitect their environments. These plans will be living documents; hopefully OMB and CISA will continue to produce guidance, best practices, and templates that agencies can use to further flesh out their approaches to zero trust.”
Nodurft is the former chief of OMB’s cyber team and previously worked at Venable.
The Information Technology Industry Council and the U.S. Chamber of Commerce weighed in on the potential impact of the zero trust memorandum.
“The strategy outlined in today’s memo will provide actionable guidance to agencies as they shift to a zero trust paradigm, which embraces a stronger, more coordinated, whole-of-government approach to cybersecurity risk management. This strategy will help enable agencies and leaders to advance a common security baseline across the federal government by linking the modernization of government IT to cybersecurity, specifically on the efforts regarding zero trust,” said Gordon Bitko, ITI’s senior vice president of policy for public sector.
Bikto said, “To be successful, we recommend OMB works with agencies to ensure that appropriate budget and priority decisions are made, as well as Congress to make sure proposed FISMA reform requirements are aligned and consistent. We appreciate the administration’s willingness to incorporate industry’s feedback and encourage it to continue working with cybersecurity experts to ensure that implementation plans reflect the most modern and secure solutions. We remain committed to sharing our experience and expertise as the U.S. government adopts this appropriate and future-proof strategy.”
The Chamber’s Christopher Roberti said, “The transition to ZTA is an important goal and we recognize the administration for prioritizing this transition. Strategy without resources will result in the slowest route to zero trust networks. The U.S. Chamber supports the application of current FY22 funding to investment in ZTA technologies and acknowledges the Technology Modernization Board for making meaningful allocations from the Technology Modernization Fund to ZTA projects. Further, we call on the Administration to request appropriate funding from Congress for ZTA technologies in its annual budget request.”
Megan Brown, a partner at law firm Wiley, commented on the strategy through the lens of the federal contracting community.
“The document does not make clear how federal contractors will be impacted, and I expect that to take some time and be complex. The strategy creates opportunities to provide identity, authentication, vetting, and other services, but it may cause some headaches for federal network administrators and the contractors that support them,” Brown said.
She added, “NIST has been working on updates to several key security publications on which this strategy relies, and that will continue to progress. contractors should be engaging with NIST to ensure its changes are practical and flexible.”
Stakeholders emphasized the importance of getting funding from Congress for agencies to implement their zero trust strategies and fulfill the goals of the executive order.
Hettinger said, “I am encouraged that the strategy requires agencies to develop and include budget estimates for FY23-24 in their implementation plans. OMB must follow through on this and make sure zero trust is reflected in future budget instructions and guidance. And Congress needs to do their part, increasing agency cybersecurity funding in future years to account the requirements of this strategy and related cyber needs.”
ADI’s Nodurft said, “While OMB tells agencies to start budgeting for investments in zero trust for FY 24, agencies hopefully have started making some resource requests that will show up in the FY 23 budget. Congress and the agencies have an opportunity to work on resourcing well before budgets are finalized for FY 24. Agencies need to start making investments in commercial and cloud based technology and services now in order to meet the goal of transitioning to a zero trust environment by 2024.” -- Sara Friedman (email@example.com)