Ross Nodurft, executive director of the Alliance for Digital Innovation and former chief of the Office of Management and Budget’s (OMB) cybersecurity team, gave positive reviews to the final version of OMB’s zero trust security directive to Federal agencies, but also noted agencies’ ability to find funding to implement the strategy in the near term remains somewhat cloudy.
The final version of the OMB policy published today builds on a draft version the agency issued last year and is one of the pillars of the Biden administration’s sweeping aims to improve Federal cybersecurity.
While the broad aims of the final policy didn’t stray far from those in the draft version, Nodurft told MeriTalk that the document does a good job communicating to agencies not only about big-picture concepts but also about details for the many next steps.
“I think OMB did a really solid job with this memo,” he said. “I think they did a good job from an organizational perspective, a good job tying the zero trust policy back to other policies that are out there.”
“Clearly, they did a good job making sure that the objectives are clearly detailed, and that’s important because I think it’s going to give agencies directions to really develop their implementation plans,” Nodurft continued.
He pointed out that Federal agencies have been on notice since last September when OMB released its draft zero trust policy that the definitive policy was coming, so have had time to prepare for meeting some of the final policy’s timelines – in particular, to present to OMB and the Cybersecurity and Infrastructure Security Agency (CISA) the latest version of their zero trust implementation plans.
“I think the plans that agencies are developing are the start of a process,” he said. “At the end of the 60 days, a document that is produced is going to be the start of what hopefully will be a living document.” Agency planning, he also noted, will continue to be shaped by subsequent OMB and CISA guidance templates and best practices input.
The final OMB zero trust guidance tells agencies to work in the near term to give OMB and CISA budget estimates for their zero trust work for Fiscal Year 2024.
But for FY2022 and FY2023, OMB advised agencies to “internally source” funding for zero trust to achieve “priority goals,” or to seek money from other sources including internal agency working capital funds and the Technology Modernization Fund (TMF).
“Hopefully, agencies saw ahead a little bit and started to put money into their FY2023 budgets,” Nodurft said.
“With that said, I think it now shifts over to Congress, and Congress has as an opportunity to work with agencies to resource these requirements before budgets are finalized in 2024,” he said. “I think it’s important that agencies make investments now to start building out their zero trust architectures sooner rather than later.”
Federal Leadership Support
Commenting on the final zero trust policy release, Federal CIO Clare Martorana said, “Security is the cornerstone of our efforts to build exceptional digital experiences for the American public.”
“Federal agency CIOs and IT leadership are leaning into this challenge, and the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public,” she said.
“It was extremely important for us to work collaboratively with top experts across the government, industry, and academia and build consensus around the highest value starting points for a defensible zero trust architecture,” added Federal CISO Chris DeRusha. “This strategy will serve as the foundation for a paradigm shift in Federal cybersecurity, and provide a model for others to follow.”
National Cyber Director Chris Inglis called the zero trust strategy “a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses.” He continued, “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” added CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
Positive Tech-Sector Feedback
The final OMB policy generated positive feedback from other tech-sector quarters as well.
“The finalized Zero Trust strategy is a major step forward. We applaud OMB for calling out the key pillars for Zero Trust success,” Stephen Kovac, Chief Compliance Officer and Head of Global Government Affairs, Zscaler, said in a statement to MeriTalk.
“This strategy includes utilizing the internet as the future agency network, where all applications should be internet accessible, and no longer focusing on a hardened perimeter approach,” he said. “These are key components of the path to Zero Trust, but now the challenge is that agencies must secure what they can’t control. Zero Trust is the path to achieve that control. Secure the user, not the network – this is the value and opportunity of Zero Trust security.”
“We also must keep the funding priority front and center to implement zero trust environments and modernize Federal cybersecurity,” Kovac said.
“We commend the Biden Administration’s persistent effort to improve the United States’ cybersecurity in the face of relentless threats,” commented Gordon Bitko, Senior Vice President of Policy for Public Sector at the Information Technology Industry Council.
“The strategy outlined in today’s memo will provide actionable guidance to agencies as they shift to a zero trust paradigm, which embraces a stronger, more coordinated, whole-of-government approach to cybersecurity risk management,” he said. “This strategy will help enable agencies and leaders to advance a common security baseline across the federal government by linking the modernization of government IT to cybersecurity, specifically on the efforts regarding zero trust.”
“To be successful, we recommend OMB works with agencies to ensure that appropriate budget and priority decisions are made, as well as Congress to make sure proposed FISMA reform requirements are aligned and consistent,” Bitko continued. “We appreciate the administration’s willingness to incorporate industry’s feedback and encourage it to continue working with cybersecurity experts to ensure that implementation plans reflect the most modern and secure solutions.”