A technology industry trade group has called on the Office of Management and Budget to expand prioritization guidance for agencies as they roll out zero-trust security architectures across government.
In a letter sent Wednesday to OMB, the Information Technology Industry Council said it should offer more detailed criteria for departments to follow over which systems – such as high-value data assets – should be migrated to a zero-trust environment first.
ITI’s recommendations come after tech officials earlier this month suggested the strategy needs more deadlines to help agencies decide how to prioritize resources. It submitted the evidence as part of a consultation the White House has launched to obtain feedback from industry on its zero-trust strategy.
Currently the draft strategy simply requires agencies to complete its identity, device, network, application and data actions by the end of fiscal 2024 — a broad deadline that doesn’t offer guidance on how to prioritize them individually.
“OMB may also consider linking this guidance to known threats, existing high-risk vulnerabilities, and targeted asset classes to have a more impact initial response,” the trade group said.
It added in its letter that the process of migrating systems to a zero-trust architecture must involve agency leadership and have external buy-in, including through engagement with oversight committees.
ITI noted also that given agencies have adopted policies and tools to enable hybrid work environments during the COVID-19 pandemic, OMB’s guidance should provide recommendations for how zero-trust architectures can succeed in environments with hybrid and bring-your-own-device (BYOD) policies.
“We agree with OMB’s objective to promote the intelligent and vigorous use of modern technology and security practices, while simultaneously avoiding disruption by malicious cyber campaigns,” the letter says, “The strategy will provide actionable guidance to agencies as they are undergoing a major paradigm shift. Given the criticality of the subject matter, we encourage OMB to keep involving relevant stakeholders in the drafting of such guidance.”
ITI added that it remains committed to sharing its experience and lessons learned to help streamline the federal adoption of zero trust.
The rollout of zero trust was earlier this year propelled to the front of the agenda for agencies across government by the Biden administration’s cybersecurity executive order.