With Federal employees accessing critical information, systems, and applications from anywhere, the mindset has shifted to never trust and always verify. Federal security experts explained that this shift put a focus on a new critical aspect of a zero trust architecture – identity management.
“Identity sits at the heart of any zero trust implementation,” Carole House, the Cybersecurity and Secure Digital Innovation director for the White House National Security Council, said during an ATARC virtual event on Feb. 1.
“And we see this seriousness in identity management with OMB’s [Office of Management and Budget] recent zero trust directive,” House said.
OMB memorandum 22-09 set forth a Federal zero trust architecture strategy requiring agencies to meet specific cybersecurity standards and objectives by the end of the fiscal year 2024 to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns.
“Identity remains the first pillar in the memo. And we see this with the push for phishing-resistant multi-factor authorization to protect systems,” Grant Dasher, from the office of the Technical Director for Cyber at the Cybersecurity and Infrastructure Security Agency, said at the panel.
However, as consumers of commercial capabilities, some Federal agencies will face challenges in validating commercial solutions that comply with zero trust standards.
“As a consumer of commercial solutions, a challenge we might face is validating that those commercial solutions comply with zero trust standards,” Jeffery Shilling, the CIO for the National Cancer Institute at the U.S. Department of Health and Human Services, said.
“The question now is, as zero-trust becomes the norm across government will the administration formulate a standardized approach to selecting solutions that comply with zero trust principles,” Shilling said.
In response to Shilling’s comments, House stated that the Biden-Harris administration has clearly shown their support for increased zero trust efforts with the slew of directives and guidance it has released. However, agencies must remember that this is not an easy journey and validating commercial solutions against zero trust standards is an issue that will take a long time to unpack.
“The challenge in building an identity-centric system is time. This is a shift that is going to take time to implement. But agencies must also remember that cybersecurity is a team sport and keeping constant communication on what works and doesn’t work will only make our framework stronger,” House said.
“While we still have a way to go in our zero trust journey, we also have to acknowledge that we have come a long way in the 7+ years we have been working on this,” Dasher said.