[TheRecord] White House releases final zero-trust strategy for federal government

The White House on Wednesday issued finalized plans for its strategy to move the federal government to a “zero-trust” cybersecurity strategy by 2024.

The plan, laid out by the Office of Management and Budget (OMB), is an update to a draft issued last September — the new version includes changes requested by cybersecurity professionals, non-profit organizations, and private industry, the agency said. The finalized strategy includes a strong emphasis on enterprise access controls, including multi-factor authentication, and encrypting all DNS and HTTP traffic. 

The document makes clear that a transition to a zero-trust architecture will take time to implement, especially given the complexity of government networks and systems. The concept of zero-trust—which at its core assumes that devices on a network should never be trusted—has been circulating among industry consultants and cybersecurity firms for years. But it has increasingly received attention among federal cybersecurity officials after attacks such as the SolarWinds breach and Microsoft Exchange hack put a focus on hackers who have already broken through perimeter defenses.

“Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government,” the finalized plan says. 

Today, we released a Federal cybersecurity strategy to move the U.S. Government toward a “zero trust” architecture — a critical step forward in delivering on @POTUS’s cybersecurity Executive Order. https://t.co/mhrEqxAFR6

— Office of Management and Budget (@OMBPress) January 26, 2022

Agencies will have nearly two years to implement zero-trust requirements, and the strategy sets deadlines for certain action items. The plan requires agencies to designate a zero-trust strategy implementation lead for their organization within 30 days. Within 60 days, agencies must build upon zero-trust implementation plans that they were required to prepare following the Cybersecurity Executive Order issued by President Biden last May. 

Advocates of a zero-trust approach say that it could help prevent a future SolarWinds-like attack, in which hackers essentially gain access to a target’s network by first compromising a cog in the organization’s supply chain. The model involves setting up internal controls that constantly verify whether users should be able to do what they’re trying to do.

“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”

“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said National Cyber Director Christopher Inglis. “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”

The finalized strategy from OMB can be found below:

The post White House releases final zero-trust strategy for federal government appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] This serious Wi-Fi bug can break your iPhone, but here’s how to protect yourself

All posts, ZDNet

Walking past a Wi-Fi hotspot with a specific name can cause big problems for your iPhone. And the scary thing is that it’s easy to do. Source: Read More (Latest topics for ZDNet in Security)

Read More

[BleepingComputer] Microsoft June 2021 Patch Tuesday fixes 6 exploited zero-days, 50 flaws

Today is Microsoft’s June 2021 Patch Tuesday, and with it comes fixes for seven zero-day vulnerabilities and a total of 50 flaws, so Windows admins will be scrambling to get devices secured. […] Source: Read More (BleepingComputer)

Read More

[HackerNews] Can Data Protection Systems Prevent Data At Rest Leakage?

All posts, HackerNews

Protection against insider risks works when the process involves controlling the data transfer channels or examining data sources. One approach involves preventing USB flash drives from being copied or sending them over email. The second one concerns preventing leakage or fraud in which an insider accesses files or databases with harmful intentions. What’s the best […]

Read More