Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

White House Publishes Federal Zero Trust Strategy

White House publishes its federal zero trust strategy

White House publishes its federal zero trust strategy

The White House on Wednesday released its federal zero trust strategy, requiring agencies to meet certain cybersecurity standards and objectives by the end of fiscal year 2024.

The strategy builds upon the executive order signed by President Joe Biden in May 2021 to improve the United States’ cyber defenses. The executive order was signed in response to the SolarWinds, Colonial Pipeline and other significant attacks carried out by foreign threat actors.

When a zero trust model is implemented, no user, system, network or service operating inside or outside the security perimeter is trusted, and every access attempt is verified.

The latest memorandum from the Office of Management and Budget (OMB) requires agencies to achieve certain goals by the end of 2024. These goals focus on identity, devices, networks, applications and workloads, and data — these are the five pillars described by the zero trust model of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA).

Specifically, agency staff will be required to use enterprise-managed identities to access work applications and use phishing-resistant multi-factor authentication (MFA). Agencies will need to have a complete inventory of devices and visibility into those devices for incident prevention, detection and response.

Government organizations are required to encrypt traffic on their networks and implement network segmentation. As for applications, they will need to be routinely tested and agencies are advised to welcome external vulnerability reports.

Access to sensitive data will need to be monitored and enterprise-wide logging and information sharing systems will need to be implemented.

While agencies have until the end of 2024 to achieve these goals, they are required to update their plans for implementing a zero trust architecture within 60 days, and designate someone to lead zero trust implementation in their organization within 30 days.

“While the order rightfully includes centralized management of identities, it fails to identify the Governance of Privilege and invalid privileged account access, which is the riskiest identity for both the public and private sectors,” commented Raj Dodhiawala, president of privileged access management provider Remediant.

“The executive order also elaborates on Phishing-resistant MFA for protection but not enough on how to reduce the attack surface due to privilege sprawl,” Dodhiawala said. “While Phishing is a primary vector where an attack initiates, we know from the frequency and variety of today’s incidents in both public and private sector enterprises that privilege access security continues to be the weakest element. In fact, it’s the one that is immediately exploited in any successful attack and is the culprit of more than 74% of breaches.”

He added, “The majority of today’s attackers accomplish their mission by leveraging privilege (or admin) account sprawl — a very large attack surface. Once cyberattackers get a toehold on any system, elevating privileges and moving laterally to find crown jewels become relatively straightforward. OMB’s memorandum also distinguishes between authentication and authorization, but it does not go far enough to establish layered protection, which will prevent attackers from gaining any elevated privileges. This includes protecting admin authorization, and protecting organizations against the discovery of admin credentials, hashes or secrets from inside the network.”

Lucas Budman, CEO of identity solutions provider TruU, commented, “The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.”

Budman added, “It’s also important in a Zero Trust construct to recognize that devices that access data (laptops, desktops, mobile devices) have identities, as well. You have to understand the device’s posture when accessing the network in order to provide proper device level authentication and authorization. If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected.”

Last week, President Biden signed a memorandum focused on boosting the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.

Related: Biden Extends Executive Order on Cyberattack Sanctions

Related: 3 Key Questions for CISOs on the Wave of Historic Industrial Cybersecurity Legislation

Related: New Executive Order Aims to Protect U.S. Power Grid From Backdoored Equipment

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...