The Office of Management and Budget (OMB) issued a memorandum addressing all executive department and agency heads. The memorandum states that achieving the zero-trust goal requires a broader use of multi-factor authentication. This includes using hardware tokens such as access cards for authentication rather than SMS or push notifications. Agencies were told to build robust access controls and enterprise identity (via The Verge). The memorandum seeks agencies to perform a complete inventory of each device currently operational for official business. Such devices would be under surveillance in line with the Cybersecurity and Infrastructure Security Agency (CISA) guidelines.
This strategy also talks about the Log4j security vulnerability
“This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm,” Acting OMB Director, Shalanda Young, said. The announcement by The White House also cites the example of the newly discovered Log4j security vulnerability. Log4j has been around for a while. However, news of its deeper use only emerged last month. The CISA asked all relevant government agencies to fix the most vulnerable assets or take other measures to mitigate the concern. The FTC then told private companies to ensure that Log4j vulnerabilities are fixed or face the risk of legal action. “As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” CISA director Jen Easterly, said. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.” The OMB has instructed government agencies to appoint a strategy implementation lead within 30 days. Agencies have to provide an implementation plan to the OMB within the next 60 days.