US federal agencies shift focus from perimeter to data to implement zero trust

Data is the new security perimeter. That notion is the foundation of a new document from the U.S. executive branch on how agencies can adopt zero-trust cybersecurity practices.

The draft Federal Zero Trust Data Security Guide is a 42-page report that tells federal agencies how to define and secure the data they hold. More than 30 federal agencies and department participated in its development. The guide is accompanied by a 28-page volume of appendices that address how agencies can implement the guidance in their operations.

Cybersecurity Executive Order 14028 directed the move towards zero trust led to OMB M-22-09, on “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.” That memo mandated federal officials to develop the Zero Trust Data Security Guide.

The guide’s release comes just ahead of the November 7 deadline for federal agencies to submit their zero-trust implementation plans to the Office of the National Cyber Director and the Office of Management and Budget.

The new guide begins with a case for the importance of data management for zero trust security, and an elucidation of zero trust data security principles.

Federal bodies are instructed to set up a data inventory and a data catalogue. The data catalogue is a distinct document to help users find a particular data asset, the companion document explains.

The guide also sets out essential identity, credential and access management (ICAM) practices, stating the importance of continuous monitoring, authentication, identity federation and single sign-on (SSO) systems.

The importance of access controls based on users’ role, attributes and context is explained, and the role of security operations centers in vulnerability monitoring and response is set out.

A section on data management has not yet been developed, and is left blank.

The appendix on ICAM notes the importance of the identity assurance levels (IALs) set by NIST in SP 800-63 for identity verification and validation. It also advises implementing the principle of least privilege and behavior analytics and adaptive authentication.

Zero trust adoption is picking up steam, motivated by fear of costly breaches, deepfakes and synthetic identities, but the U.S. is behind the curve, according to survey results released earlier this year by Ponemon and Entrust.

Article Topics

access control  |  adaptive authentication  |  biometric authentication  |  cybersecurity  |  identity access management (IAM)  |  U.S. Government  |  Zero Trust