White House publishes final zero trust strategy for federal agencies

The final guidance includes requirements for multi-factor authentication and the encryption of all DNS and HTTP traffic.
White House, Office of Management and Budget, West Wing, Press Briefing
(Getty Images)

The White House on Wednesday published a final version of its zero-trust architecture strategy, which is intended to substantially improve the cybersecurity of government agency systems by 2024.

Key aspects of the new document include a new enhanced focus on multi-factor authentication, a requirement that departments move towards encrypting all DNS requests and HTTP traffic, and begin to segment their network perimeters into separate isolated environments.

The finalized plan comes after the Office of Management and Budget in September last year published a draft zero trust document that identified top cybersecurity priorities, including the consolidation of agency identity systems and treating all internal networks as untrusted. The latest plan moves agencies further towards fulfilling the requirement included in the Cybersecurity Executive Order issued last May by President Biden.

Included in the new document are a number of concrete deadlines by which senior technology leaders must ensure certain security measures are enacted.


Within 60 days of the memorandum being issued, agencies must incorporate the additional requirements identified in the document and submit an implementation plan for fiscal 2022-2024 to OMB and CISA for review.

 The new memo requires also that within 120 days, agency chief data officers must work with their staff to develop a set of initial categorizations for sensitive electronic documents within their departments that could be used to automatically monitor and restrict the sharing of sensitive documents.

According to the new guidance, agencies must also create reliable asset inventories through participation in CISA’s Continuous Diagnostics and Mitigation program. They must ensure also that endpoint detection and response tools meet CISA’s technical requirements and are deployed widely.

Also in support of the memo implementation, CISA and GSA will collaborate to create a procurement structure for agencies that allows for rapid acquisition of rigorous application-security testing capabilities.

“As a result of this work, agencies should be able to schedule most work within less than a month (or in high- urgency situations, a few days),” OMB said in the memo.


In addition, the new document calls on the Federal Chief Data Officer Council and the Federal Chief Information Security Officer Council within 90 days to create a joint working group on zero-trust data for agencies, with representatives of both councils and led by OMB.

Agencies will have 30 days from the publication of the memorandum to designate and identify a zero-trust strategy implementation lead for their organization.

Commenting on the new strategy, Alliance for Digital Innovation Executive Director Ross Nodurft said: “As the strategy notes, this is the beginning of a journey for agencies and ADI member companies look forward to partnering with departments and agencies to provide innovative commercial and cloud based solutions that can secure data, applications, devices, and identities as agencies move away from traditional network boundaries.

“ADI supports OMBs efforts to budget for these requirements and encourages Congress to provide the necessary resources for agencies to make the these much needed security investments this year and not wait until 2024,” he added.

Speaking at an ATARC event Wednesday, Director of GSA’s IT Modernization Division Tom Santucci added that his team is in the process of identifying gaps in federal zero-trust guidance, in order to develop its own policy playbook.


“We seem to be more of a traffic cop for zero trust because everyone is trying to develop some documents in some form or fashion with that, and we’ve become sort of the librarian of all of these documents,” Santucci said. “And we’re not trying to replicate anything that’s already been produced, particularly by [the Department of Defense] or some other entities like [the National Institute of Standards and Technology].

Dave Nyczepir contributed to this report.

Latest Podcasts