On January 26, the U.S. White House Office of Management and Budget (OMB) issued a memorandum on advancing security measures to dramatically reduce the risk of successful cyberattacks against the federal government. The memo states that organizations can no longer depend on conventional perimeter-based defenses to protect critical systems and data, and specifically calls out the importance of verifying everything before granting access to your most-important assets – a core value proposition of Zero Trust.
Here are a few takeaways from this news:
Zero Trust is a Vital Part of a Modern Cybersecurity Strategy
Zero Trust is re-emerging as a must have for any organization that wants to improve its overall cybersecurity posture. In fact, in a recent study of more than 1,000 IT security professionals, 75% of executives characterized Zero Trust as critically or very important to bolstering their overall cyber defense (with only 1% disagreeing). In this same survey, 61% said that they were in the process of addressing Zero Trust, or that they would be formulating plans to do so in the next year.
Immediate Impact to U.S. Federal Agencies
The OMB’s memorandum also provides a specific timeline for U.S. agencies to meet specific security goals and standards – by the end of fiscal year 2024. More immediately, these agencies have 30 days to designate a ‘strategy implementation lead’ within their organization and 60 days to submit an implementation plan to the OMB. These timeframes are certainly tight, which underscores the relative importance the White House is placing on prescriptive security measures to protect government entities from anticipated future attacks.
Widely Applicable Across Sectors and Borders
While the guidance is primarily focused on addressing U.S. federal agencies, organizations across the private sector – in the U.S. and around the world – should take heed as well. Also of note, the latest memo follows a draft that was issued in September 2021, which then received feedback from a variety of security experts and was incorporated into this final draft – meaning it reflects best practices outlined by security experts from a variety of verticals and geographies. It also has been crafted with an eye toward establishing cybersecurity standards for companies that sell software services to the federal government.
Identity and MFA at the Core of Resilience
The memo places a significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA). In fact, MFA is mentioned 18 times in the 29-page document. The guidance also aligns its guidance directly to CISA’s draft Zero Trust Maturity Model, which calls out identity security as the first core pillar, stating: “Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.” As noted previously, OMB sees conventional perimeter-based defenses as only a slice of a contemporary cybersecurity strategy. It thus stands to reason that they also are focusing on identity to minimize the blast radius once a bad actor gains access.
Education is a Critical for Zero Trust Success
While the information contained in the OMB memo is an important step forward in outlining key elements of Zero Trust, there is still work to be done from an education standpoint. In the previously mentioned survey, it was determined that only one in five security stakeholders are confident in their organization’s understanding of Zero Trust, and that a lack of clarity remains the top barrier to Zero Trust adoption. This is likely why only 14% of respondents said that they had a fully deployed solution, despite the obvious need. Fortunately, there are a number of excellent resources on the topic that you can leverage to learn more, including this brand-new web center titled What is Zero Trust.
In summary, the latest from the U.S. White House, which specifically calls out Zero Trust, further underscores the importance of verifying everything before handing over the keys to the kingdom. One Identity is uniquely positioned to help organizations address these requirements with our industry-leading Unified Identity Security portfolio. To learn more about Zero Trust from One Identity, click here. Or for more information specifically on MFA click here, where you can learn more about this product now available from OneLogin by One Identity.
You can also learn more about One Identity’s Public Sector Practice and security solutions by clicking here.
Related Links:
- White House press release
- White House/OMB memorandum
- Learn more about Zero Trust: Make Zero Trust a Reality
- What is Zero Trust
- Debunking the Top 5 Zero Trust Security Myths
