zero trust concept (deepadesigns/

White House drafts zero-trust guidance

To help federal agencies convert their networks, systems and devices to a zero-trust security architecture, the White House has issued three new draft guidance documents.

The documents, including the federal zero trust strategy from the Office of Management and Budget and a zero trust maturity model and cloud security technical reference architecture from the Cybersecurity and Infrastructure Security Agency, are meant to provide agencies with the roadmap and resources required to sustain a multiyear push towards zero trust..

OMB and CISA released a request for comments on the documents, saying the drafts were meant "to accelerate agencies towards a shared baseline of early zero trust maturity" while assisting them as they implement zero-trust architectures. The effort also includes the launch of a joint website from OMB and CISA covering zero-trust implementation.

OMB's draft zero-trust strategy includes a set of deliverables due by the close of fiscal year 2024, including the deployment of enterprisewide identity management and adoption of multifactor authentication, the establishment of comprehensive device inventories and encryption of data on agency networks. OMB also tasks agencies with getting rid of password rotation requirements and the use of special characters, "which have been known to lead to weaker passwords in real-world use." Instead, OMB wants agencies to consult National Institute of Standards and Technology guidance on appropriate passwords and passphrases as a component of a multifactor authentication scheme.

The Biden administration’s cybersecurity executive order signed in May requires the federal government to advance towards a zero-trust architecture and mandated the strategy and technical guidance documents released this week.

CISA Deputy Executive Assistant Director Matt Hartman said at a June ACT-IAC panel that the White House had begun collaborating with his agency and others ahead of the cyber order to begin drafting new guidance around transitioning to advanced security systems.

"It's important to consider that many of these tasks [in the executive order] are sprints to develop strategies," he said at the time. "The administration fully recognizes that many of the core issues being addressed will only be solved through years - literally years - of focus and continued investment."

The comment periods for the CISA documents on cloud security architecture and zero trust maturity model runs through October 1. Comments on the zero trust guidance from OMB are due by September 21.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Chris Riotta is a staff writer at FCW covering government procurement and technology policy. Chris joined FCW after covering U.S. politics for three years at The Independent. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected