With the 60-day deadlines for some of the objectives from the Office of Management and Budget’s Zero Trust memo now in the rearview, Federal agencies should have a zero trust implementation plan in place, with a focus on initial data categorization and laying the groundwork for a zero trust architecture.
Industry officials say this data categorization, along with a broader move toward Security Orchestration Automation and Response (SOAR) will ultimately save Federal agencies time and give them more visibility in the long run.
“Overall, I think [the OMB memo is] very positive,” Matt McFadden, vice president and for cyber and a distinguished technologist for General Dynamics Information Technology (GDIT) said in an interview with MeriTalk. “It really focuses on beginning the journey on implementation of zero trust across agencies.”
“With that, the agencies need to understand what some of the important actions are to begin that journey, McFadden said. “With the OMB setting those deadlines, it really helps them prioritize any of the key efforts as well as helps them understand there’s somewhat of an urgency to this, especially in regard to each of the pillars.”
McFadden, who said GDIT has worked with Federal agencies on their zero trust implementation plans said that from a data standpoint, many agencies are focused on the initial categorization of their data. He said that at the end of the day, Federal agencies are looking to move towards a high level of maturity, and that, in part is where the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model comes in.
CISA released a draft of its Zero Trust Maturity Model in September 2021, the same day as OMB released its draft Zero Trust memo. While a version of the model has not been released yet, the maturity model and memo both play into the larger themes of President Biden’s cybersecurity executive order (EO).
“Ultimately, they’re trying to move to a mature zero trust architecture,” McFadden said. “The OMB zero trust strategy was a really good way for the White House to drive some of the executive order requirements.”
Among those requirements, McFadden keyed on the memo’s focus on the device pillar of zero trust architectures and deploying enterprise-wide endpoint detection and response solution across Federal agencies. Additionally, he mentioned agencies’ ability to more easily share information with CISA, as well as the need to engage in more cyber hunt, detection, and response activities.
He also noted requirements listed in the memo for improving event logging, retention, and cloud security services. However, McFadden cautioned that the memo is very clear in noting that from fiscal years (FY) 2022-24, agencies will largely have to use existing agency funds to meet requirements.
“They were very clear, within FY2022-2024 that they have to use existing agency funds and understanding that I think they put the goalpost very near somewhere agencies can meet those actions very easily with that implementation plan,” he said. “[Agencies are] putting together what their forecasted budget is.”
“I would assume in the out years and [FY]24, you’re going to see an increase in zero trust funding help drive a lot of these efforts.”
He said, in the meantime, agencies should continue to utilize the General Services Administration’s Technology Modernization Fund to help subsidize its zero trust goals.
“The whole industry, government, and every effort in government is embracing zero trust as a more effective cybersecurity strategy in the wake of a lot of these recent cyber events,” McFadden said. “So, I think folks should embrace it.”
Steps Towards SOAR
The memo also included a 120-day deadline for initial data categorization with an eye toward SOAR technologies. SOAR technologies functions as a dashboard for agencies to automatically view and decide how to respond to events, however, those functionalities require a lot of data to operate.
While it would be unreasonable to expect Federal agencies to fully stand-up SOAR capabilities within 120 days, the memo gets them one step closer by requiring all Federal agency chief data officers to develop an initial categorization of sensitive data, “with the goal of automatically monitoring and potentially restricting the sharing of these documents,” the memo says.
“There’s a lot of great technologies that can be leveraged as part of that, but the whole idea is really for agencies to, in real-time, use automation to understand the data they have to categorize it, deploy some analysis, and respond, deploy countermeasures against the things that they’re seeing.”
“Threats are ever-increasing and the environments ever-increasing; they’re moving to clouds, security teams aren’t growing as fast to respond to those efforts,” he added. “So, I think everyone recognizes automation as a key component to adopt, to scale to those threats. So, with zero trust it’s ever-important, and it’s good to see that as a core pillar that agencies have to work towards.”
Other industry officials also SOAR as a major component of zero trust architectures as a whole and see the initial categorization deadline as a step towards getting agencies to that point. Count Josh McCarthy, chief product officer for Revelstoke Security, among that camp.
“SOAR has a huge place in the zero trust architecture altogether,” McCarthy said in an interview with MeriTalk. “When you look at the whole zero trust architecture zoomed out, it is critical to the permissions – to all the things that you want to do with zero trust – to make them manageable.”
“Because if you ever do all the stuff in that architecture manually, nobody wants to do that, McCarthy added. “So, the SOAR really helps in that area. … It has a big part in the overall architecture.”
McCarthy said that some of the primary use cases for SOAR revolve around phishing and malware, but he said after that, “it’s a Venn diagram with very little overlap all over the place of you know what people’s biggest pain point is and that they want to address with automation.”
McFadden put it succinctly, “You can’t defend what you don’t know you have.”
“The greatest first step is understanding what your data is,” McFadden added. “Once you really understand that, then we can begin to drive protection. Zero trust is a strategy, and I don’t think it ever stops. Through the OMB memo, we’ll start moving to focus more on driving the maturity of each of these pillars, and then, setting new goals that help drive towards more effective implementation. So, hopefully, we’ll have a baseline zero trust implementation very soon.”