The Office of Management and Budget is working to develop a system that generates trust scores for users before allowing them to access its network or applications, according to the chief information security officer of its Management and Operations Division.
Speaking during an ATARC webinar Thursday, Dan Chandler said the idea is to use all the network information at OMB’s disposal to alert a user when their trust score isn’t high enough in real time — rather than simply reject their request.
The Cybersecurity Executive Order issued in May 2021 accelerated agencies’ efforts to implement zero-trust security architectures, but funding and expertise for systems like the one OMB envisions remain scarce.
“System may be too strong a word,” Chandler said. “This is an idea that we’re starting to develop.”
The comments after Federal CIO Clare Martorana last month told FedScoop that OMB aspires to implement new trust measures as it works to improve security and customer experience.
Agencies use tools like Google Authenticator and others from Amazon Web Services and Microsoft Azure to authenticate users, but trust in them changes depending on current events. If a zero-day vulnerability is found in one of those services, trust in it may drop a certain percentage, Chandler said.
If implemented, OMB’s desired system would compare a session’s trust score to the trust requirement on a function of feature. If a user’s score is too low to grant access, a list of options for raising their score — like reauthenticating or inputting a personal identity verification card — might even be provided, Chandler said.
The Department of Commerce is also interested in evaluating the trust of users and devices, but network evidence isn’t feeding into and informing its zero-trust architecture yet.
“We’re just not there yet because the investments haven’t come through,” said Lawrence Anderson, deputy chief information officer at the Department of Commerce. “But at some point we’re going to need some advanced tools to get to that advanced level of zero trust that we want to get to.”
OMB has run the MAX.gov system, which performs authentication using PIV cards, for years. Agencies use MAX.gov for their budget systems and other use cases.
“MAX.gov is being transitioned to GSA,” Chandler said. “So by the end of next year GSA is supposed to have stood up an alternative solution which, as I understand it, is going to be based on Azure Active Directory.”