Moving to Zero Trust – Implementing M-22-09 – Time is Running Out
Moving to Zero Trust – Implementing M-22-09 – Time is Running Out
Just over three years ago, the Biden Administration released Executive Order (EO) 14028 – Improving the Nation’s Cybersecurity. The EO marked a significant milestone in the ongoing battle against cyber threats, acknowledging the critical need to fortify the nation’s digital defenses in an increasingly interconnected and vulnerable landscape. This directive was not born in a vacuum; it was built upon years of mounting concerns and hard-learned lessons from high-profile cyber incidents that exposed the vulnerabilities of both public and private sectors, underscoring the urgency for a comprehensive overhaul of cybersecurity practices and a shift towards a more robust, zero-trust approach.
Zero Trust Implementation in the Federal Government
The Executive Order mandated that agencies create their own Zero Trust Architecture plans. Moreover, in January 2022, Memorandum 22-09 from the Office of Management and Budget outlined the steps needed to adopt the federal zero trust strategy. It also stipulated that specific cybersecurity standards must be established by the end of the upcoming fiscal year, concluding on September 30, 2024. To say the clock is ticking is an understatement.
The Biden EO recognized that protection of the perimeter is not enough. M-22-09 puts more specific requirements in place leveraging CISA’s Zero Trust Model’s five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. Each of the five pillars has an overarching vision and a set of actions that need to be completed by agencies by the end of FY 2024 – September 30th.
The vision for the Identity Pillar is “Agency staff use enterprise-managed identities to access the applications they use in their work.” The following specific actions are required:
- Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
- Agencies must use strong MFA throughout their enterprise.
- MFA must be enforced at the application layer, instead of the network layer.
- For agency staff, contractors, and partners, phishing-resistant MFA is required.
- For public users, phishing-resistant MFA must be an option.
- Password policies must not require use of special characters or regular rotation.
- When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.
Agency implementation plans required in M-22-09 should lead to better identity and access control and wide deployment of phishing resistant MFA and ultimately better security.
The Memorandum highlights that this authentication should be done using standards such as the World Wide Web Consortium (W3C) open standards developed as part of efforts by the Fast Identity Online (FIDO) Alliance. Agencies should have this deployment in place by the end of Fiscal Year 2024 as part of their implementation plans.
Outlook and Technologies in Federal Cybersecurity – transition to passwordless
M-22-09 is not just focused on the looming deadline and the shift from perimeter to a zero-trust architecture. This is and will continue to be a large task. The Biden Administration is also looking down the road at how to leverage technologies to better secure the federal cyber infrastructure for the future. In the Identity Pillar this means federal agencies looking at the use of passwordless authentication. M-22-09 specifically states “Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems.”
As co-founders of the FIDO Alliance, Nok Nok has been at the cutting edge of developing the standards and the technology to deliver phishing-resistant MFA which ensures that government employees, contractors and citizens can securely access information. Nok Nok remains committed to working with the federal government to deliver leading passwordless authentication solutions to support requirements to enhance the government’s security posture now and in the future.
It is crunch time for many agencies to implement their zero trust plans and inconsistencies in the federal appropriations cycles the last several years could create a challenge for agencies to get across the finish line. This will likely mean a sprint to meet the September 30th deadline. Regardless, it remains clear that improved cybersecurity is a high priority for the federal government, and by extension, to our critical infrastructure. We can expect that more updates and changes will occur as technology improves and CISA looks to fulfill its role of ensuring a more secure federal digital infrastructure.
