The White House is following a new cybersecurity guideline to further improve the security stance of federal agencies. The memo strongly encourages the adoption of zero-faith architecture as a way to ensure that, in the process of protecting their software landscape, federal agencies do not leave anything untouched in the case of data handoffs.
This New memorandum Memo M-22-09, by the U.S. Government’s Office of Management and Budget (OMB), outlines why Zero Trust architecture is important for protecting web applications that federal agencies and the public rely on every day. The SolarWinds case reminds the government that supply chain security is vital and the recent Log4Shell incident highlights how important incident response can be, finding a way to improve security.
“In the current context of the threat, the federal government can no longer rely on conventional perimeter-based defenses to protect critical systems and data,” said Shalanda Young, acting director of OMB. Yang also noted that in line with President Biden’s executive order on cybersecurity, the government needs to make significant changes to how it handles cybersecurity if it wants to keep up with the latest threats.
One step ahead of the access control problem
The strategy described in OMB’s Memo M-22-09 aims to improve enterprise identity and access control, which can be done through efforts such as multi-factor authentication and a new baseline for access to enhance defenses around phishing attempts. Ultimately, it gives the idea of a government that has:
- Enterprise-managed accounts for federal employees, providing security and access to everything they need to get things done
- Devices that are constantly tracked and monitored when considering how secure devices are when accessing internal resources
- Isolated agency systems with encryption for network traffic operate within those systems.
- Internal and external testing for enterprise applications, which employees can securely access via the Internet
- The Federal Security Team and the Data Team work together to create data categories and security rules that automatically identify – and ultimately – block unauthorized access to sensitive information.
- Collaborate with federal data teams and security teams to create data divisions and rules for detecting and blocking unauthorized access
In a zero-trust architecture where no asset is considered 100% trustworthy, these efforts neatly fold into cybersecurity strategies that aim to encrypt and authenticate all traffic. To stay one step ahead of threat actors, this strategy is an integral part of a more comprehensive application protection program that covers everything from tooling to processes, capabilities, third party component checks and even vulnerabilities.
“In addition to a strong internal testing program, agencies should verify their applications as our country’s counterparts do,” Young wrote in the memo. “This requires a process of welcoming external partners and assessing the real-world security of agency applications and the integrated disclosure of vulnerabilities by the general public.”
Transforming into a more robust security program may seem difficult, but if done thoughtfully, it will help guide agencies as they implement these mission-critical guidelines to meet deadlines.
New deadlines and targets for federal agencies
The urgency of the memo is clear: Government agencies have 30 days to assign a leadership role in implementing zero-trust strategies to someone in their organization, and then 60 days to submit their complete plan for implementation to Young’s office. Once submitted, the countdown is on and by the end of 2024, certain zero trust protection targets must be achieved from CISA.
The goals, which are aligned with the five pillars of the CISA, include improved security for identities, devices, and networks. These include assessing application and workload and ensuring that companies are securing data – both in the field and in the cloud. As more agencies move into the cloud-first environment for added flexibility and ease of access, modern security solutions that offer full visibility and full coverage are more important than ever.
Learn how Invicti helps government agencies Their environment is safe Through dynamic and interactive web application security solutions to help you meet these guidelines and other key guidelines.
Get the latest content on web security
In your inbox every week.
Author
Federal Marketing Manager
Lindsey Stalnaker is the Federal Marketing Manager at Invicti Security, the company behind Acunetix and Netsparker. A marketing professional for nearly a decade, he specializes in digital marketing, content creation and event management for the public sector.
