In a previous post I looked at the Biden Administration Executive Order 14028 – Improving the Nation’s Cybersecurity, including its championing of Zero Trust Architecture (ZTA) and least-privilege access.
During the Biden Administration, the Office of Management and Budget issued a related memorandum, M-22-09 (PDF), that dictated a particular approach. Again, ZTA was emphasized.
And the OMB proposed an action plan:
This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. These goals are organized using the zero trust maturity model developed by CISA. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).
Naturally I’m interested in the identity part.
Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.
Agencies must use strong MFA throughout their enterprise.
- MFA must be enforced at the application layer, instead of the network layer.
- For agency staff, contractors, and partners, phishing-resistant MFA is required.
- For public users, phishing-resistant MFA must be an option.
- Password policies must not require use of special characters or regular rotation.
When authorizing users to access resources, agencies must consider at least one devicelevel signal alongside identity information about the authenticated user.
Did the Federal Government accomplish the OMB M-22-09 identity objectives?
Sort of.
- While some agencies mostly moved to centralized systems, some legacy systems didn’t transition.
- Authentication moved away from weak MFA (such as sending an SMS to a device as the second factor).
- Device signals aren’t fully implemented. Using one example, dynamically blocking access in real-time if a virus is detected is NOT fully operational. But this is challenging when you consider all the computers, smartphones, and other devices (including Internet of Things devices) that are managed.
But the government said (in a 2024 Impact Report) that the government performed well.
In effect, OMB M-22-09 is now a legacy document since the 2024 deadline has passed. But it’s still referenced, somewhat, in government cybersecurity efforts.
Are you meeting your prospects’ zero trust needs?
If Bredemarket can help you with strategic and tactical analysis, content, and proposals that address the zero trust architecture, set up a free meeting with me to discuss your goals.
Bredemarket 