OMB’s Zero Trust Memo Promoting Initial Data Categorization and Zero Trust Implementation – MeriTalk
With the 60-day deadlines for some of the objectives of the Office of Management and Budget’s Zero Trust Memo now in the rearview mirror, federal agencies should have a zero-trust implementation plan in place, focusing on initial data categorization and laying the groundwork for a zero-trust architecture.
Industry officials say this data categorization, coupled with a broader move toward security orchestration automation and response (SOAR), will ultimately save federal agencies time and give them more long-term visibility.
“Overall, I think [the OMB memo is] very positive,” said Matt McFadden, vice president and cyber and a distinguished technologist for General Dynamics Information Technology (GDIT) in an interview with MeriTalk. “It’s really focused on starting the journey towards implementing zero trust across all agencies.”
“With that, agencies need to understand what some of the important actions are to start that journey,” McFadden said. “With the OMB setting these timelines, it really helps them prioritize one of the key efforts and helps them understand that there is some urgency to this, especially with respect to each of the pillars.”
McFadden, who said GDIT has worked with federal agencies on their zero-trust implementation plans, said that from a data perspective, many agencies are focused on initial categorization of their data. He said that ultimately, federal agencies seek to achieve a high level of maturity, and that’s part of where the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model comes in.
CISA released a draft of its Zero Trust Maturity Model in September 2021, the same day that the OMB released its draft Zero Trust memo. Although a version of the model has yet to be released, both the maturity model and the memo play into the larger themes of President Biden’s Executive Order (EO) on cybersecurity.
“Ultimately, they’re trying to move to a mature zero-trust architecture,” McFadden said. “OMB’s zero-trust strategy was a very good way for the White House to meet some of the requirements of the executive order.”
Among those requirements, McFadden highlighted the memo’s focus on the device pillar of Zero Trust architectures and the deployment of an enterprise-wide endpoint detection and response solution. in federal agencies. Additionally, he mentioned the ability of agencies to more easily share information with CISA, as well as the need to engage in more cybercrime hunting, detection and response activities.
He also noted the requirements listed in the memo to improve event logging, retention, and cloud security services. However, McFadden cautioned that the memo is very clear in noting that beginning in the 2022-24 fiscal years, agencies will largely have to use existing agency funds to meet the requirements.
“They’ve been very clear in the 2022-24 fiscal year that they have to use existing agency funds and understand that I think they’re putting the goal post very close to where the agencies can achieve these actions very easily with this implementation plan,” he said. “[Agencies are] establish their budget.
“I guess in the years to come and [FY]24, you’re going to see an increase in Zero Trust funding that will help spur a lot of these efforts.
He said in the meantime, agencies should continue to use the General Services Administration’s Technology Modernization Fund to help fund his zero trust goals.
“The entire industry, government, and all government efforts are embracing zero trust as a more effective cybersecurity strategy in the wake of many of these recent cyber events,” McFadden said. “So I think people should accept it.”
Steps to SOAR
The memo also included a 120-day timeline for initial data categorization for SOAR technologies. SOAR technologies work like a dashboard allowing agencies to visualize and automatically decide how to react to events, however, these features require a lot of data to work.
While it would be unreasonable to expect federal agencies to fully implement SOAR capabilities within 120 days, the memo brings them one step closer by requiring all federal agency data managers to develop an initial categorization of sensitive data, “for the purpose of automatically monitoring and potentially restricting the sharing of such materials,” the memo reads.
“There’s a lot of great technology that can be leveraged in this, but the idea is really for agencies, in real time, to use automation to understand the data they have to categorize it, deploy analytics, and respond. , deploy countermeasures against the things they see.
“The threats are constantly increasing and the environments constantly increasing; they migrate to the clouds, security teams don’t grow as fast to respond to those efforts,” he added. “So I think everyone recognizes automation as a key thing to adopt, to adapt to these threats. So with zero trust, that’s still important, and it’s good to see that as a central pillar towards which agencies must work.
Other industry officials are also SOAR as a major component of Zero Trust architectures as a whole and view the initial categorization deadline as a step in getting agencies to this point. Count Josh McCarthy, chief product officer for Revelstoke Security, is in this camp.
“SOAR has a huge place in zero-trust architecture,” McCarthy said in an interview with MeriTalk. “When you look at the whole zero-trust architecture magnified, it’s critical that permissions — for all the things you want to do with zero trust — make them manageable.”
“Because if you ever do all the things manually in this architecture, nobody wants to do it,” McCarthy added. “So SOAR really helps in that area. … It plays an important role in the overall architecture.
McCarthy said some of the major use cases for SOAR revolve around phishing and malware, but then he said, “It’s a Venn diagram with very little overlap where you know which is the biggest people’s problem and they want to address with automation.
McFadden put it succinctly, “You can’t defend what you don’t know you have.”
“The most important first step is to understand what your data is,” McFadden added. “Once you really understand that, we can start driving protection. Zero trust is a strategy, and I don’t think it ever stops. Through the OMB memo, we’ll start driving ourselves focus more on driving the maturity of each of these pillars and then setting new goals that will contribute to a more effective implementation, so hopefully we will have a zero trust baseline implementation very soon.