The Office of Management and Budget’s draft federal zero-trust strategy needs more deadlines on required actions to help agencies prioritize them, according to tech officials.
Currently the draft strategy simply requires agencies to complete its identity, device, network, application and data actions by the end of fiscal 2024 — a broad deadline that doesn’t offer guidance on how to prioritize them individually.
“There’s a lot of value in a strategy document, and I’m a big fan,” said Shane Barney, CISO at U.S. Citizenship and Immigration Services, during an AFCEA Bethesda webinar Wednesday. “But there’s also a lot of value in adding teeth.”
Agencies can’t drum up the resources for a zero-trust security architecture overnight, said Sheena Burrell, deputy chief information officer at the National Archives and Records Administration. Planning and alternative funding sources, like the Technology Modernization Fund, are needed.
NARA intends to use TMF funds to build out its zero-trust architecture in accordance with the recent cybersecurity executive order and subsequent OMB guidance.
“My agency is putting in for some of our cybersecurity issues looking at our high-value assets, trying to modernize those systems, as well as looking at our zero-trust architecture and these other key pieces and putting in a request for that Technology Modernization Fund because we didn’t have that money,” Burrell said. “And we didn’t have those resources when [this guidance] came out.”
That the strategy states the goal of a zero-trust model is to place the entire enterprise on the public internet is “revolutionary” and will help agencies design their architectures and define trust, Barney said. And he’s a “big fan” of the requirement that agencies develop a network segmentation plan in consultation with the Cybersecurity and Infrastructure Security Agency to submit to OMB.
Barney would like to see a “no humans in production” requirement — where products are automatically deployed to a production environment without manual intervention — however. USCIS isn’t 100% of the way there yet.
“Humans in production should be a break-glass event; in other words it should be something that’s an emergency,” Barney said. “You moving product into production should be an automated pipeline.”
The strategy should also add an extra layer of security for token-based authentication, so it’s not just multi-factor but multi-tiered. Think adding YubiKey infrastructure — that’s separate from the regular, challenge-handshake authentication protocol — for high-level access accounts.
“Because one of the things you saw with SolarWinds was the ability for threat actors to use or compromise some of our core security in terms of identity,” Barney said.
Barney also took issue with the strategy’s requirement that CISA adapt the Continuous Diagnostics and Mitigation program to avoid the use of privileged software agents wherever possible. The problem there is a number of security tools like Splunk require privileged accounts to run, so the strategy should be clarified to explain what mitigation, monitoring and risk-based scenarios are needed, he said.