OMB, CISA Unveil Plans to Shift to Zero Trust Architecture

September 15, 2021 - The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) are requesting public comment on newly proposed strategies and guidance that support the federal government’s shift toward a zero trust architecture, the White House announced.

The announcement follows close behind an executive order signed in May that pledged to improve the nation’s cybersecurity in light of recent cyberattacks on US critical infrastructure entities. A major attack on Colonial Pipeline that disrupted 5,550 miles of the company’s fuel supply chain served as a major catalyst to the Administration’s increased focus on cybersecurity.

Hackers continue to target small and large healthcare organizations nearly every day, resulting in care disruptions, EHR downtime, and significant data loss. Implementing a zero trust architecture could also prove critical to ensuring cybersecurity in the healthcare sector, not just the government.

OMB released a draft of its Federal Zero Trust Strategy with the goal of “accelerating agencies towards a shared baseline of early zero trust maturity.”

The draft cited the Department of Defense’s (DOD) Zero Trust Reference Architecture, released in February, which states that “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

READ MORE: NSA Shares Zero Trust Security Model Guide, Recommendations

“Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

Using the DOD’s guidance as a starting point, OMB’s draft stated that it envisioned a federal zero trust architecture that recognizes every government resource and device, bolsters strong identity practices, relies on encryption and application testing rather than perimeter security, and supports automation and safe use of cloud services.

“The purpose of this strategy is to put all Federal agencies on a common roadmap by laying out the initial steps agencies must take to enable their journey toward a highly mature zero trust architecture,” the draft explained.

“This recognizes that each agency is currently at a different state of maturity, and ensures flexibility and agility for implementing required actions over a defined time horizon. The strategy also seeks to achieve efficiencies for common needs by calling for government-wide shared services, where relevant.”

All government departments and agencies will have 30 days from the final publication of OMB’s memorandum to designate a zero trust architecture implementation lead for their organization. The lead will be responsible for coordinating with the government on implementation efforts. OMB will accept public comments through September 21.

READ MORE: NIST Shares Final Zero Trust Architecture Strategies, Guidance

Simultaneously, CISA released its Zero Trust Maturity Model, which aims to serve as a roadmap for government agencies in the process of adopting zero trust cybersecurity principles. The model included five pillars of focus for implementing a zero trust architecture: identity, device, network/environment, application workload, and data.

The model also included guidance surrounding each pillar, along with specific examples of traditional, advanced, and optimal zero trust architectures for organizations to use throughout the implementation process.

CISA also released its Cloud Security Technical Reference Architecture (TRA), which was developed in collaboration with the United States Digital Service (USDS) and the Federal Risk and Authorization Management Program (FedRAMP).

The document included guidance on how to build a cloud environment, how to monitor a cloud environment using robust cloud security, and how to implement a shared risk model for cloud service adoption.

CISA will accept public feedback and comments on both drafts through October 1.

READ MORE: How Zero Trust in Healthcare Can Keep Pace with the Threat Landscape

As the federal government begins a widespread shift to a zero trust architecture, other industries, including healthcare, may follow suit.

The HHS Cybersecurity Program released a report on zero trust in healthcare in late 2020. The report explained that given the interconnected nature of healthcare’s devices and networks, “It is clear that the current perimeter-based security model that most healthcare organizations use will no longer be effective.”

“To stay ahead of these trends, healthcare organizations must continue to invest in the basics while making a fundamental shift from the castle-and-moat approach to a Zero Trust model.”

HHS recommended that healthcare organization begin the transition to a zero trust model with a software defined perimeter (SDP), mesh VPNs, and Modern Network Access Control (NAC).

Although concerns have been raised about the feasibility of implementing a zero trust architecture in healthcare, constant cyberattacks in the healthcare sector make the need for widespread cybersecurity changes even more crucial.

“Never trust, always verify. With today’s zero trust announcement, we are clearly driving home the message to federal agencies that they should not automatically trust anything inside or outside of their perimeters,” Clare Martorana, US federal chief information officer, explained in the White House press release.

“They must verify anything and everything trying to connect to their systems before granting access. This is an expectation in a modern technology environment and we look forward to this public comment process to make our strategy even stronger.”