White House drafts zero-trust guidance
- By Chris Riotta
- Sep 08, 2021
To help federal agencies convert their networks, systems and devices to a zero-trust security architecture, the White House has issued three new draft guidance documents.
The documents, including the federal zero trust strategy from the Office of Management and Budget and a zero trust maturity model and cloud security technical reference architecture from the Cybersecurity and Infrastructure Security Agency, are meant to provide agencies with the roadmap and resources required to sustain a multiyear push towards zero trust..
OMB and CISA released a request for comments on the documents, saying the drafts were meant "to accelerate agencies towards a shared baseline of early zero trust maturity" while assisting them as they implement zero-trust architectures. The effort also includes the launch of a joint website from OMB and CISA covering zero-trust implementation.
OMB's draft zero-trust strategy includes a set of deliverables due by the close of fiscal year 2024, including the deployment of enterprisewide identity management and adoption of multifactor authentication, the establishment of comprehensive device inventories and encryption of data on agency networks. OMB also tasks agencies with getting rid of password rotation requirements and the use of special characters, "which have been known to lead to weaker passwords in real-world use." Instead, OMB wants agencies to consult National Institute of Standards and Technology guidance on appropriate passwords and passphrases as a component of a multifactor authentication scheme.
The Biden administration’s cybersecurity executive order signed in May requires the federal government to advance towards a zero-trust architecture and mandated the strategy and technical guidance documents released this week.
CISA Deputy Executive Assistant Director Matt Hartman said at a June ACT-IAC panel that the White House had begun collaborating with his agency and others ahead of the cyber order to begin drafting new guidance around transitioning to advanced security systems.
"It's important to consider that many of these tasks [in the executive order] are sprints to develop strategies," he said at the time. "The administration fully recognizes that many of the core issues being addressed will only be solved through years - literally years - of focus and continued investment."
The comment periods for the CISA documents on cloud security architecture and zero trust maturity model runs through October 1. Comments on the zero trust guidance from OMB are due by September 21.
This article was first posted to FCW, a sibling site to GCN.
Chris Riotta is a staff writer at FCW covering government procurement and technology policy. Chris joined FCW after covering U.S. politics for three years at The Independent. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president.