Stating that the U.S. federal government “can no longer depend on perimeter-based defenses to keep its critical systems and data safe,” the Office of Management and Budget (OMB) and Cybersecurity Infrastructure Security Agency (CISA) released a draft memorandum outlining a very aggressive goal: to have all federal agencies adopt a zero-trust security architecture by 2024. The memorandum seeks to provide clarity and a path forward for federal agencies in support of recent security-related executive orders from the White House, including a May 2021 EO mandating federal agencies to use multi-factor authentication (2FA) and end-to-end encryption.
The OMB and CISA memorandum requires federal agencies to meet specific zero trust security goals related to identity, devices, networks, applications, and data by the end of Fiscal Year 2024. These goals align with the five pillars of the Cybersecurity and Infrastructure Security Agency’s (CISA) zero-trust maturity model:
1. Identity: Federal agencies must deploy a single sign-on (SSO) solution, use “phishing-resistant” 2FA, and “adopt secure password policies and check passwords against known-breached data.”
2. Devices: The federal government must maintain “a complete inventory of every device it operates and authorizes for Government use” and manage incident detection and response for those devices.
3. Networks: Federal agencies must encrypt all DNS requests and HTTP traffic, segment their networks, and encrypt email in transit.
4. Applications: Federal agencies must treat all applications as though they were connected to the internet, conduct routine and “rigorous” testing, and accept external vulnerability reports.
5. Data: Federal agencies must be on a “clear, shared path to deploy protections that make use of thorough data categorization,” use cloud security solutions to monitor access to sensitive data, and implement “enterprise-wide logging and information sharing.”
The memorandum is open for public comment until September 21. Within 30 days of the final memorandum being published, federal departments and agencies must “designate and identify a zero trust architecture implementation lead for their organization.”
How Keeper Can Help Government Agencies Reach Zero Trust
As the only password management solution provider available on the FedRAMP marketplace, Keeper’s zero-trust and zero-knowledge enterprise password management and cybersecurity platform is the perfect solution for federal government agencies to meet all of the Identity requirements of the OMB memo, along with most of the Data requirements. Let’s take a look:
The Keeper Enterprise Password Management Platform (EPM)
Keeper’s EPM enables IT administrators to implement and enforce strong password policies throughout their organizations. Using the Keeper admin console, administrators can customize password strength to meet federal government requirements, and they can automate policies regarding how passwords are handled within applications, such as SSO and 2FA.
Fine-grained access controls allow administrators to set employee permissions based on their roles and responsibilities, set up securely shared folders for departments or groups, and enable secure, granular, and controlled sharing of credentials, secrets, and vaults among employees and teams. Keeper supports role-based access control (RBAC), auditing, event reporting, and compliance standards including GDPR and ISO 27001.
Protect critical government assets and prevent data breaches with Keeper Enterprise.
Keeper Secure File Storage (SFS)
In support of the OMB’s requirement for enterprise-wide information sharing, Keeper SFS enables efficient, secure, vault-to-vault sharing of stored files with other Keeper users. Just like passwords stored in Keeper, users can set sharing permissions for digital files (read-only, edit, share, or edit and share).
Keeper uses PBKDF2 to derive authentication keys based on the user’s Master Password, then generates individual record-level AES-256 encryption keys locally on the device to encrypt each stored file. Keeper’s cloud only holds the encrypted ciphertext of each file, and sharing between users is performed using PKI to ensure that only the recipient of a shared file can decrypt it. Keeper’s zero-knowledge encryption methods ensure that only the user can access and decrypt their stored files.
Keeper SSO Connect™
While some SSO identity providers (IdPs) provide basic password management tools for websites that do not use SAML, these tools are typically proprietary to each IdP, may not be compatible with every data environment or tech stack, and may not use a zero-knowledge security architecture. Keeper SSO Connect bridges these security and functionality gaps, enabling government agencies to easily and seamlessly extend their SSO deployments with Keeper’s zero-knowledge EPM.
Keeper SSO Connect is a fully managed, SAML 2.0 SaaS solution that can be deployed on any instance or in any Windows, Mac OS, or Linux environment, in the cloud or on-prem. It easily and seamlessly integrates with all popular SSO IdP platforms, including Microsoft 365, Azure, ADFS, Okta, Ping, JumpCloud, Centrify, OneLogin, and F5 BIG-IP APM.
Keeper SSO Connect doesn’t require any on-premises or customer cloud-hosted services, nor does it require any additional software or equipment. Setup is accomplished in two easy steps:
1. Configure SSO Connect within the Keeper Admin Console.
2. Enable and configure the Keeper Application within the IdP.
In support of the OMB’s requirement for agencies to “check passwords against known-breached data,” Keeper BreachWatch scans Dark Web forums and notifies IT administrators if any employee passwords have been compromised in a public data breach.
Keeper takes only minutes to deploy, requires minimal ongoing management, and scales to meet the needs of any size department or agency.
Contact our cybersecurity experts to deploy a secure, effective and simple zero-trust solution at +1 202-946-4575 or firstname.lastname@example.org.