While acknowledging that zero-trust implementation will be a “journey” with “learning and adjustments along the way,” the Office of Management and Budget (OMB) has finalized and released a memorandum detailing specific zero trust milestones for federal agencies to achieve by the end of Fiscal Year (FY) 2024. Under the memo, which is dated January 26, 2022, federal agencies have 30 days to designate zero-trust Strategy Implementation Leads, who will coordinate with the OMB on planning and implementation, and 60 days to submit an implementation plan and budget estimate.
The strategic goals outlined in the OMB’s memorandum align with the five pillars of a Zero-Trust Architecture (ZTA) as defined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA):
Identity: Agency staff must use enterprise-managed identities, protected by Multi-Factor Authentication (MFA) to access work-related applications.
Devices: The Federal Government must maintain a complete inventory of every device it operates and authorizes, and it must be able to prevent, detect, and respond to incidents on those devices.
Networks: Agencies must encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
Applications and Workloads: Agencies must treat all applications as internet-connected, routinely conduct rigorous empirical testing, and welcome external vulnerability reports.
Data: Agencies must thoroughly categorize their data, implement cloud security services to monitor access to sensitive data, and utilize enterprise-wide logging and information sharing.
Are Federal Agencies Ready for Zero Trust?
The OMB’s timeline is rather aggressive. As of this writing, agencies have less than a month to name their implementation leads, and less than two months to submit an implementation plan and proposed budget. A recent survey by Meritalk found that while 73% of federal cybersecurity leaders report that their agencies are already adopting zero-trust principles, 87% said they felt the OMB was moving too quickly, and only 1 in 10 feel they have sufficient support to achieve zero-trust maturity.
Since password security is the foundation of cybersecurity, an easy yet highly effective starting point for any agency’s zero trust journey. Keeper’s zero-knowledge password management and security platform gives IT administrators complete visibility into employee password practices, enabling them to monitor password use and enforce password security policies across the entire organization, including password complexity requirements, 2FA, Role-Based Access Control (RBAC), and other security policies.
For more information on how Keeper can help your agency kickstart your zero-trust journey and meet the upcoming OMB deadlines, download our free guide, “Adoption of Zero-Trust Architecture In Government Agencies.”
Not a Keeper customer yet? Sign up for a 14-day free trial now! Want to find out more about how Keeper can help your organization prevent security breaches? Contact the public sector team today:
Phone: +1 202.946.4575