How to meet OMB’s Zero Trust Strategy goals for IT, IoT and OT Devices
On Jan. 26, the Office of Management and Budget (OMB) published its widely anticipated final version of its zero trust architecture strategy, identifying top cybersecurity priorities for the federal government. This achievement raises the country’s cyber defense strategy to a level commensurate with the “increasingly sophisticated and persistent threat campaigns” it faces. Equally important, it provides a timetable for agencies to implement the strategy and clarification around specific tasks ahead of them. One more key consideration: OMB clearly states that agencies should source funding for FY22 and FY23 priorities internally. That means planning must begin now.
Federal agencies can meet the OMB Zero Trust Strategy goal for device visibility using tools they already have.
Final zero trust strategy in brief
By the end of fiscal year 2024, federal agencies must achieve specific goals organized around the Cybersecurity and Infrastructure Security Agency’s (CISA’s) “five pillars” for zero trust maturity: identities, devices, networks, applications and workloads, and data. To do so, they must use proscribed means for “phishing-resistant” multifactor authentication, device visibility, traffic encryption, network segmentation, routine application testing, data categorization and the use of cloud security services.
Two milestones occur within the first 60 days of the memorandum’s release:
- Within 30 days (February 26, 2022), agencies must designate and identify a zero trust strategy implementation lead for their organization.
- Within 60 days (March 26, 2022), agencies must incorporate 10 new pillar-related requirements into their previous EO-mandated implementation plans and submit the new plan to OMB for concurrence with their FY24 budget estimate.
As a standalone mandate, the final zero trust strategy may appear onerous. However, as the document and timeline demonstrate, it builds on previous cybersecurity goals and brings much-needed clarity and deadlines around specific goals.
As an example, let’s focus specifically on pillar #2: Devices.
Laying the foundation: 100% device inventory and control
The second pillar in the strategy stipulates that “Agencies maintain a complete inventory of every device authorized and operated for official business and can prevent, detect and respond to incidents on those devices.”
To elaborate:
A necessary foundation for any enterprise-wide zero trust architecture is a complete understanding of the devices, users and systems interacting within an organization. For most enterprises, creating and maintaining a complete inventory over time requires tools that can support the dynamic discovery and cataloging of assets.
Agencies that participate in the CISA Continuous Diagnostics and Mitigation (CDM) program should already have what they need to achieve this goal. In fact, the zero trust strategy explicitly requires agencies to “create reliable asset inventories through participation in CDM.”
Initiated in 2013, the program takes a phased approach to enabling federal agencies and departments to continuously identify, prioritize and mitigate risk. Phase 1 of CDM provided the foundational ability to know what is on your network. Forescout does this by agentlessly and continuously detecting all IP addressable devices upon connect, then classifying and control device access in real time. As the preferred solution for CDM hardware asset management (HWAM), we currently deliver this capability for most federal agencies. However, it likely needs to be extended,
CDM reboot for IoT and OT
The zero trust strategy breathes new life into CDM. Executive Order 14028: “Improving the Nation’s Cybersecurity” (issued May 12, 2021) required agencies to establish or amend Memoranda of Understanding for CDM with CISA so that CISA would have access to object level data. Since CDM’s inception in 2013, the world has changed a lot. One reason is the proliferation of Internet of Things (IoT) and operational technology (OT) that support everything from security cameras to badge readers to HVACs. When OT has an IP address, it must meet the same cybersecurity standards as IT.
These newer – but not new – technologies bring huge gains in efficiency and productivity for federal civilian agencies, coupled with more reliable services for the public, at lower cost. Unfortunately, especially when IoT and OT manage critical infrastructure they are prime targets for malicious actors, who can exploit them with relative ease.
Endpoint detection and response (EDR) tools are another focus of device visibility. The zero trust strategy calls for agency EDR tools to meet CISA’s technical requirements and be deployed widely – incorporating another previous mandate – but also calls out “some specialized systems, such as mainframes and connected devices, [that] may lack compatible EDR tools. These systems are still at risk of compromise or misuse and may require defenses from other zero trust mechanisms to mitigate risk.”
Here again, the outliers under consideration are likely IoT and OT devices such as badge readers and security cameras that need to be folded into existing cybersecurity practices. EDR tools often don’t work with such devices because of their inability to host a security agent. However, they can be accurately discovered in real time using HWAM tools you already have.
Extend zero trust to IoT and OT
OMB’s zero trust strategy provides a clear and flexible roadmap that signals urgency in the path forward for the federal enterprise. The good news? Agencies likely have most, if not all, of the cybersecurity tools necessary to begin designing their implementation plans. Examining existing tools for added utility to address zero trust requirements should be the first step, not only to establish a baseline but also a budget.
Zero trust is rooted in the principle “never trust, always verify.” To achieve the new goals, agencies must extend that principle across their entire network and all device types, without discrimination. In the near term, they must carefully determine their cybersecurity priorities and weigh them against risk and funding realities.
Let a Forescout Government Solutions expert help you adapt your existing cybersecurity approach to meet the final zero trust strategy requirements. Contact us today.