Following up to the initiative to modernise and implement stronger cybersecurity standards in the US federal government, outlined in the cybersecurity executive order (EO) of May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) invited the public to provide feedbacks on the strategic and technical guidance documents. The three published documents -OMB's 'Federal Zero Trust Strategy', and CISA's 'Zero Trust Maturity Model' and 'Cloud Security Technical Reference Architecture' -provide practical guidance for the federal government towards turning to 'zero-trust' architecture, moving to the cloud, implementing multi-factor authentication (MFA), and strengthening the encryption.
While the maturity model presents a conceptual roadmap, the federal strategy provides main pillars for implementation, including the use of MFA, establishing the inventory of devices and ability to detect and respond to incidents, segmenting the network and introducing encrypted DNS and HTTPS, thorough testing of applications in use, tracking data and enhancing information sharing. The cloud security document, on the other hand, aims to walk agencies through how they can migrate to the cloud securely, in order to detect, respond to and recover from cyber incidents. According to the CSO portal, a major challenge is that no funding for federal agencies is dedicated to implement this mandate: agencies face skills shortages to implement a zero-trust approach, which requires continuous monitoring of all the connections, system components and data.