White House leans harder on agency heads to implement zero trust

It is hard to tell if the U.S. federal government is closer to adopting a zero-trust architecture since the White House made it a priority last May, but there is more meat on the bones of the earlier statement.

President Joe Biden’s original executive order last year had numerous deadlines, and updates about completion have been hard to come by. It is not clear if a new memo put out by the White House this week provides cover for missed goals.

Shalanda Young, acting director of the Executive Office of the President, has issued a 26-page strategy memo stating that all federal departments and agencies have until September 30, 2024, to “reinforce” their defenses against cyberthreats and attacks.

While the significant cost of zero trust and reinforcement is mentioned in the document, no projected budgets are discussed.

Young’s robust memo is more than a statement of accountabilities, although such a document itself would be imposing given the size of the federal government, the scope of changes demanded and the pace required.

Her statement (summarized here) reads with the same urgency heard in 2020 when the government announced it was taking away the U.S. Marines’ battle tanks.

Young took the opportunity to spell out the difference between old-world trusted network architectures and modern zero-trust frameworks — which include multi-factor authentication (MFA) but do not stop there.

The envisioned change, with “significant investments,” she wrote, is necessary to protect lives and assets, the national economy and trust in government.

A more-secure digital future, according to Young, is one in which staff accounts and digital IDs are managed at the enterprise level, which assigns needed access while minimizing the chance of phishing attacks.

And agency systems are separate from each other, connected only through secured channels of encrypted data. Setups like that can better contain intrusions.

There are other goals laid out in the memo, most of which have already been internalized by the most security-conscious U.S. businesses.

For example, departments further along the path to zero-trust architectures should share the experiences, practices and staff with others catching up.

A 2020 survey by ID management services vendor Okta found that 41 percent of its buyers globally reported they were “working on a Zero Trust initiative” or expected to start one “in the near future.”

In 2021, that figure reached 90 percent.

The use of security keys and biometrics for MFA among business rose from 9 percent in 2018 to 21 percent currently, and 30 percent in the tech sector, according to Okta.

Article Topics

access management  |  biometrics  |  cybersecurity  |  digital ID  |  identity management  |  multifactor authentication  |  U.S. Government  |  zero trust