On January 26, 2022, the U.S. Office of Management and Budget (OMB) published Memorandum M-22-09, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” (the ZTA Memorandum), which requires federal agencies to take a hard look at their cybersecurity controls, and invest in and implement new measures to better protect the government’s networks, systems, and devices. The ZTA Memorandum expands upon President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” which stated the president’s general goals to advance the federal government toward zero trust architecture (ZTA). The ZTA Memorandum also follows President Biden’s “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” issued on January 19, 2022, which established certain cybersecurity requirements for National Security Systems (NSS) and set forth the methods by which federal agencies could secure exceptions to these requirements when appropriate given unique mission needs. To comply with the ZTA Memorandum’s increased cybersecurity requirements, federal agencies will be required to invest in new and/or increased cybersecurity controls, policies, and procedures to move to a ZTA. For government contractors involved in IT modernization efforts for the federal government, this initiative will likely drive unique and evolving agency requirements, which will ultimately present new partnership opportunities.
The ZTA Memorandum directs federal agencies to each take concrete action to achieve specific ZTA security goals by the end of Fiscal Year (FY) 2024, including:
- Within 60 days, submitting to the OMB and the Cybersecurity and Infrastructure Security Agency (CISA) an implementation plan to describe how the agency intends to incorporate the requirements for implementing a ZTA; and
- Within 30 days, designating and identifying an individual for each agency that will serve as a zero trust strategy implementation lead.
The cybersecurity model of “zero trust” is based on the principle of “never trust, always verify.” A network architecture based on zero trust requires all users, whether inside or outside of the network, to be authenticated, authorized, and continuously validated before being granted access to applications or data. Additionally, within this cybersecurity model, users and devices are only given permissions to access network resources necessary for the task at hand, also known as the principle of least privilege. The switch to ZTA by the government is a departure from previous policies, which accepted certain “trusted networks.”
To implement zero trust in accordance with the ZTA Memorandum, federal agencies will be required to take the following actions, among others:
- Employ centralized identity management systems
- Utilize strong multi-factor authentication (MFA) through their enterprise
- Create reliable asset inventories through participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program
- Ensure their endpoint detection and response (EDR) tools meet CISA’s technical requirements and are widely deployed
- Resolve Domaine Name System (DNS) queries using encrypted DNS
- Enforce HTTPS for all web and application program interface (API) traffic in their environment
- Operate dedicated application security testing programs and utilize external firms for independent third-party evaluations
- Maintain a public vulnerability disclosure program for their internet-accessible systems
- Implement initial automation of data categorization and security responses
- Audit access to any data encrypted at rest in commercial cloud infrastructure
- Implement comprehensive logging and information-sharing capabilities
Government contractors that operate in this space should take note of these new requirements imposed on federal agencies. ZTA requirements are already being incorporated into some solicitations being published by defense and, in some instances, civilian agencies. Very recently, the Defense Information Systems Agency (DISA) issued a multimillion dollar award to start building the foundations of ZTA for the Defense Department. The contract was awarded for a $6.8 million zero trust prototype project, which the agency calls Thunderdome. The awardee has been tasked with building the first testbed implementation of a ZTA.
Without question, new partnership opportunities will emerge for innovative contractors to assist the federal government in meeting the FY 2024 deadline. Agencies’ compliance with these increased cybersecurity requirements will require additional investments in new and/or increased cybersecurity controls, policies, and procedures to move to a ZTA. Within the next 60 days, or by the end of March 2022, each of the federal agencies will present implementation plans to OMB and CISA. These implementation plans will necessarily provide details on how each agency plans to invest in the tools and resources needed to develop a ZTA and to further modernize the federal government’s cybersecurity controls to thwart current threats.
This is just one more step towards implementing President Biden’s strategy to build a defensible and coherent whole of government approach to federal cybersecurity defense. The Biden administration has made it clear that federal agencies cannot afford to wait for the next cyber breach and simply react and respond. Instead, agencies will need to take active steps to reduce the risk by implementing frameworks like ZTA, and contractors should take advantage of the opportunities that will be presented.