Late last month, the Office of Management and Budget (OMB) released a memorandum that offered updated security guidance for federal agencies. Guidance issued by OMB lays the framework or foundation for how federal civilian agencies should operate. And this new guidance could have a massive impact on agency cybersecurity strategy in the coming year, and beyond.
How will this guidance impact federal agencies that are seemingly involved in an uphill battle against malicious actors to protect their networks? What new approaches to cybersecurity or cybersecurity technologies will become priorities for federal agencies as a result of this guidance?
Joe Garber, Vice President of Marketing at One Identity, analyzed this recent OMB guidance and shared the following key takeaways in a recent blog post:
Zero Trust is a Vital Part of a Modern Cybersecurity Strategy
Zero Trust is re-emerging as a must-have for any organization that wants to improve its overall cybersecurity posture. In fact, in a recent study of more than 1,000 IT security professionals, 75% of executives characterized Zero Trust as critically or very important to bolstering their overall cyber defense (with only 1% disagreeing). In this same survey, 61% said that they were in the process of addressing Zero Trust, or that they would be formulating plans to do so in the next year.
Immediate Impact to U.S. Federal Agencies
The OMB’s memorandum also provides a specific timeline for 2022 government cybersecurity strategies and for U.S. agencies to meet specific security goals and standards – by the end of fiscal year 2024. More immediately, these agencies have 30 days to designate a ‘strategy implementation lead’ within their organization and 60 days to submit an implementation plan to the OMB. These timeframes are certainly tight, which underscores the relative importance the White House is placing on prescriptive security measures to protect government entities from anticipated future attacks.
Widely Applicable Across Sectors and Borders
While the guidance is primarily focused on addressing 2022 Government Cybersecurity strategies and U.S. federal agencies, organizations across the private sector – in the U.S. and around the world – should take heed as well. Also of note, the latest memo follows a draft that was issued in September 2021, which then received feedback from a variety of security experts and was incorporated into this final draft – meaning it reflects best practices outlined by security experts from a variety of verticals and geographies. It also has been crafted with an eye toward establishing cybersecurity standards for companies that sell software services to the federal government.
Identity and MFA at the Core of Resilience
The memo places a significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication (MFA). In fact, MFA is mentioned 18 times in the 29-page document. The guidance also aligns its guidance directly to CISA’s draft Zero Trust Maturity Model, which calls out identity security as the first core pillar, stating: “Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.” As noted previously, OMB sees conventional perimeter-based defenses as only a slice of a contemporary cybersecurity strategy. It thus stands to reason that they also are focusing on identity to minimize the blast radius once a bad actor gains access.
Education is a Critical for Zero Trust Success
While the information contained in the OMB memo is an important step forward in outlining key elements of Zero Trust, there is still work to be done from an education standpoint. In the previously mentioned survey, it was determined that only one in five security stakeholders are confident in their organization’s understanding of Zero Trust, and that a lack of clarity remains the top barrier to Zero Trust adoption. This is likely why only 14% of respondents said that they had a fully deployed solution, despite the obvious need. Fortunately, there are a number of excellent resources on the topic that you can leverage to learn more, including this brand-new web-center titled What is Zero Trust.
In summary, the latest from the U.S. White House, which specifically calls out Zero Trust as a central part of 2022 government cybersecurity strategy, further underscores the importance of verifying everything before handing over the keys to the kingdom. One Identity is uniquely positioned to help organizations address these requirements with our industry-leading Unified Identity Security portfolio.
To learn more about Zero Trust from One Identity, click here.
To learn more about MFA specifically, click here.