Zero trust countdown: New OMB memo stresses urgency for modern AppSec

The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their software landscape, federal agencies leave nothing unchecked when it comes to information handoffs.

This new memorandum by the United States government’s Office of Management and Budget (OMB), memo M-22-09, outlines why zero trust architecture is critical to securing the web applications that federal agencies and the public rely on daily. With the SolarWinds case reminding the government that supply chain security is vital and the recent Log4Shell incident highlighting how important effective incident response can be, finding a path to improved security posture is imperative.

“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” Shalanda Young, Acting Director of OMB, stated in the memo. Young also noted that, as outlined by President Biden’s executive order on cybersecurity, the government needs to act quickly with significant changes to how it handles cybersecurity if it wants to keep up with sophisticated modern threats.

Staying one step ahead of access control issues

The strategy outlined in OMB’s memo M-22-09 places significance on improving enterprise identity and access controls, which can be done through efforts like multi-factor authentication, and a new baseline for access to heighten defenses around phishing attempts. Ultimately, it conceptualizes a government that has:

• Enterprise-managed accounts for federal staff, which provide access to everything needed to complete tasks while also staying secure
• Devices that are tracked and monitored constantly while taking into consideration how secure the devices are when accessing internal resources
• Isolated agency systems with encryption for network traffic moving between those systems
• Internal and external testing for enterprise applications, which staff can access securely via the internet
• Federal security teams and data teams working together to develop data categories and security rules that automatically detect – and ultimately block – unauthorized access to sensitive information
• Collaboration between federal data teams and security teams to build data categories and rules to detect and block unauthorized access

In a zero trust architecture where no asset is considered 100% trusted, these efforts fold nicely into cybersecurity strategies that aim to encrypt and authenticate all traffic. To stay one step ahead of threat actors, this strategy is an integral part of a more extensive application security program that covers all the bases, from tooling to processes, enablement, third-party component checks, and even vulnerability disclosure.

“In addition to robust internal testing programs, agencies should scrutinize their applications as our nation’s adversaries do,” Young wrote in the memo. “This requires welcoming external partners and independent perspectives to evaluate the real-world security of agency applications, and a process for coordinated disclosure of vulnerabilities by the general public.”

The transition to a more robust security program may seem daunting, but if done thoughtfully, it will help guide agencies as they implement these mission-critical directives to meet the deadline.

New deadlines and goals for federal agencies

The urgency outlined in the memo is clear: government agencies have 30 days to assign someone in their organization the role of implementation lead for zero trust strategies, and then 60 days to send their full plan for implementation to Young’s office. Once submitted, the countdown is on and agencies are required to achieve certain zero trust security goals from CISA by the end of 2024.

The goals, which align with CISA’s five pillars, include improved security for identities, devices, and networks. They also include evaluating applications and workloads and ensuring that agencies are deploying protections for data – both on-premises and in the cloud. With more agencies making the move to cloud-first environments for added flexibility and ease of access, modern security solutions that offer full visibility and full coverage are more critical than ever.

Learn how Invicti helps government agencies secure their environments through dynamic and interactive web application security solutions to help meet these guidelines and other key directives.