On January 26th, 2022 the Office of Management and Budget (OMB) released the latest Memo 22-09 tied to the Zero Trust strategy outlined in the Executive Order 14028.
OMB M-22-09 is more prescriptive for agencies with timelines attached and Swish would love to share our thoughts on how this Memo is structured and what your agency can do about it.
Swish will be releasing a Blog Post series that covers the 5 pillars of Identity, Devices, Networks, Applications and Workloads, and Data.
At a high level, the strategy is summarized as:
These goals are organized using the Zero Trust (ZT) maturity model developed by the Cybersecurity and Information Security Agency (CISA). The Zero Trust model describes five complementary areas of effort (pillars): Identity, Devices, Networks, Applications and Workloads, and Data, with three themes across these five areas; Visibility and Analytics, Automation and Orchestration, and Governance.
CISA’s five pillars can be described as:
1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant Multi-Factor Authentication (MFA) protects that personnel from sophisticated online attacks.
2. Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.
M-22-09 directs agencies to highest-value starting points to ZT architecture. The Office of Management and Budget (OMB) and CISA will work with agencies throughout their Zero Trust implementations to capture best practices, lessons learned, and additional agency guidance and make that available on a jointly maintained website at zerotrust.cyber.gov.
This is the first in a series of blog posts on Zero Trust and M-22-09. Each week, Swish will publish a new post covering the Summary, Situational Awareness Items, and Agency Action items for each section of the Memorandum. Swish Engineering POCs are available for individual discussions as well and can be reached at: firstname.lastname@example.org.