the Executive Office of the President issued an executive memorandum to the heads of federal government executive departments and agencies, which provided guidance and direction on zero-trust architecture (ZTA) strategy. The memo was entitled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, and it offered follow-on guidance after the May 2021 Executive Order (EO) 14028, Improving the Nation’s Cybersecurity.
Here's how the 2022 memo begins:
“This memorandum sets forth a federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns. Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government.”
A bit further down the page, you find these executive summary points:
“This strategy envisions a federal government where:
Also from that article: “Federal cyberdefenses became a top issue for the Biden administration after the Colonial Pipeline and SolarWinds Orion incidents that occurred in the past couple years. Other headline-making hacks have followed, including last summer when Chinese operatives accessed the email inboxes of U.S. officials, which later became the subject of a major DHS oversight report.”
And while major progress can be measured for federal government agencies, an article written by Apu Pavithran for govtech.com in March 2024 urged state and local governments to mandate zero trust:
“The success of the federal government’s zero-trust transition highlights the need for state and local mandates. The strict deadline serves as a catalyst, compelling action and fostering a resilient cyber culture. …
“The deadline is prompting action. With a goal in sight, federal agencies have a systematic and organized path toward stronger defenses. In an era where cyber threats advance in sophistication and intensity, this proactive stance is paramount for securing critical systems and data. This is something state and local governments must consider when fortifying for the future.”
And while the lack of mandates makes progress on zero trust difficult to gauge with precise metrics, most states have expressed a desire to implement ZTA. These realities show up all over the country at cyber summits and technology conferences.
For example, a California Department of Technology Letter 23-01 states: “This TL also serves as a notice that all state entities must work toward a Zero Trust Architecture (ZTA) model as outlined in NIST 800-207. Refer to the Cybersecurity [and] Infrastructure Security Agency (CISA) Zero Trust Maturity Model Version 2.0. By May 2024, all state agencies/entities must have assessed, planned, and implemented the “Initial” maturity stage of each of the five pillars including Identity, Devices, Networks, Applications and Workloads, and Data.”
This article outlines how Florida has encouraged the implementation of ZTA through House Bill 7055, also known as the Local Government Cybersecurity Act, that was signed into state law on June 24, 2022:
“Government entities will have to adopt cybersecurity standards to protect its data, network, equipment and other technology resources. These standards must be consistent with generally accepted best practices from the National Institute of Standards and Technology (NIST).
The required adoption dates for these standards depend on the size and type of your entity:
The article also points out that these NIST standards highlight the need for implementing advanced security measures to prevent ransomware attacks and other intrusions, such as an EDR, XDR or zero-trust methodology.
Here's how the 2022 memo begins:
“This memorandum sets forth a federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns. Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government.”
A bit further down the page, you find these executive summary points:
“This strategy envisions a federal government where:
- Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
- The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
- Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
- Enterprise applications are tested internally and externally, and can be made available to staff securely over the Internet.
- Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
ZERO-TRUST STATUS NOW
Fast-forward to September 2024, and "Major federal agencies are close to meeting September zero-trust deadline, federal CIO says," according to NextGov/FCW: “A tranche of major federal agencies have nearly met a Sept. 30 deadline requiring them to build out and adopt a degree of zero trust architecture on their networks, federal CIO Clare Martorana said Wednesday (Sept 4, 2024)."
Also from that article: “Federal cyberdefenses became a top issue for the Biden administration after the Colonial Pipeline and SolarWinds Orion incidents that occurred in the past couple years. Other headline-making hacks have followed, including last summer when Chinese operatives accessed the email inboxes of U.S. officials, which later became the subject of a major DHS oversight report.”
WHERE ARE STATE GOVERNMENTS ON ZERO TRUST?
And while major progress can be measured for federal government agencies, an article written by Apu Pavithran for govtech.com in March 2024 urged state and local governments to mandate zero trust:
“The success of the federal government’s zero-trust transition highlights the need for state and local mandates. The strict deadline serves as a catalyst, compelling action and fostering a resilient cyber culture. …
“The deadline is prompting action. With a goal in sight, federal agencies have a systematic and organized path toward stronger defenses. In an era where cyber threats advance in sophistication and intensity, this proactive stance is paramount for securing critical systems and data. This is something state and local governments must consider when fortifying for the future.”
And while the lack of mandates makes progress on zero trust difficult to gauge with precise metrics, most states have expressed a desire to implement ZTA. These realities show up all over the country at cyber summits and technology conferences.
For example, a California Department of Technology Letter 23-01 states: “This TL also serves as a notice that all state entities must work toward a Zero Trust Architecture (ZTA) model as outlined in NIST 800-207. Refer to the Cybersecurity [and] Infrastructure Security Agency (CISA) Zero Trust Maturity Model Version 2.0. By May 2024, all state agencies/entities must have assessed, planned, and implemented the “Initial” maturity stage of each of the five pillars including Identity, Devices, Networks, Applications and Workloads, and Data.”
This article outlines how Florida has encouraged the implementation of ZTA through House Bill 7055, also known as the Local Government Cybersecurity Act, that was signed into state law on June 24, 2022:
“Government entities will have to adopt cybersecurity standards to protect its data, network, equipment and other technology resources. These standards must be consistent with generally accepted best practices from the National Institute of Standards and Technology (NIST).
The required adoption dates for these standards depend on the size and type of your entity:
- The deadline is Jan. 1, 2024 for counties with a population of 75,000 or greater and municipalities with a population of 25,000 or greater.
- The deadline is Jan. 1, 2025 for counties and municipalities falling under these thresholds."
The article also points out that these NIST standards highlight the need for implementing advanced security measures to prevent ransomware attacks and other intrusions, such as an EDR, XDR or zero-trust methodology.
Comments
Post a Comment