Illustration by Alex Castro / The Verge
The White House released a new cybersecurity strategy Wednesday aimed at reducing the risk of cyberattacks against government infrastructure.
The strategy outlines the administration’s vision for moving government agencies towards a “zero trust” architecture — a cybersecurity model where users and devices are only given permissions to access network resources necessary for the task at hand, and are authenticated on a case-by-case basis.
The key document was published as a memorandum from the Office of Management and Budget (OMB), the administration’s policy arm, and addressed to the heads of all executive departments and agencies.
According to the memorandum, shifting towards a zero trust architecture will require the implementation of stronger enterprise identity and access controls including more widespread use of multi-factor authentication — specifically hardware-based authentication tokens like access cards, rather than push notifications or SMS. Agencies were also instructed to aim for a complete inventory of every device authorized and operated for official business, to be monitored according to specifications set by the Cybersecurity and Infrastructure Security Agency (CISA).
“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” said acting OMB director Shalanda Young in a statement. “This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”
The White House’s announcement cited the Log4j security vulnerability as “the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.” The vulnerability, one of the most serious and widespread cybersecurity threats for years, first began to be exploited in December 2021. At the time, government agencies were instructed by CISA to immediately patch vulnerable assets, or take other mitigation measures. The FTC also subsequently warned companies in the private sector to remediate the vulnerability to avoid potential legal action for putting consumers at risk.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
An initial draft of the strategy was released in September 2021 for public comment, and since then has been shaped by input from the cybersecurity industry as well as other fields of the public and private sector.
With the final strategy now released, government agencies have been issued 30 days to designate a strategy implementation lead within their organization, and 60 days to submit an implementation plan to the OMB.
“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said national cyber director Christopher Inglis. “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”