Recent Updates in the Federal Government’s Zero Trust Guidelines and Requirements
Within the last couple years, the government has put increasing importance on zero-trust architecture (ZTA) requirements for cybersecurity.
On May 12, 2021, Executive Order (EO) 14028 titled “Improving the Nation’s Cybersecurity” was released, requiring agencies to enhance cybersecurity and software supply chain integrity by developing a plan to implement zero trust principles. EO 14028 marked a renewed commitment to and prioritization of federal cybersecurity modernization. This order requires service providers to share cyber incident and threat information that could impact Government networks and establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
Then, in January 2022, Memorandum 22-09 was released as a follow-up to EO 14028. This memorandum sets forth a Federal ZTA strategy, requiring agencies to meet cybersecurity objectives by the end of Fiscal Year 2024 to reinforce Federal Civilian Executive Branch (FCEB) defense. In this document, the government states that we must make a “dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.” The Department of Defense’s (DoD) Zero Trust Reference Architecture is also referenced in M-22-09. The DoD states that the foundational tenet of the Zero Trust Model is that no user, system, network, or service operating outside or within the security perimeter is trusted. Instead, anything and everything attempting to establish access must be verified.
The latest government update regarding zero trust security is The Cybersecurity and Infrastructure Security Agency’s (CISA), Cybersecurity Maturity Model Version 2.0, which was released in March of 2022. CISA’s Zero Trust Maturity Model (ZTMM) is one of many paths that an organization can take in designing and implementing their transition plan to zero trust architectures in accordance with EO 14028 and M-22-09. A typical plan will assess an agency’s current cybersecurity state and plan for a fully implemented ZTA. CISA’s ZTMM assists agencies in development of their zero trust strategies and continued evolution of their implementation plans.