OMB announces strategy for U.S. Government “zero trust” approach to cyber

WASHINGTON, D.C.—The Office of Management and Budget (OMB) released a Federal strategy on Jan. 26, 2022 to move the U.S. Government toward a “zero trust” approach to cybersecurity.

The strategy represents a key step forward in delivering on President Biden’s Executive Order on Improving the Nation’s Cybersecurity, which focuses on advancing security measures that dramatically reduce the risk of successful cyberattacks against the Federal Government’s digital infrastructure.

According to OMB, the growing threat of sophisticated cyberattacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door.

The zero trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm that will help protect the nation. These goals are directly aligned with and support existing zero trust models.  

“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” said Acting OMB Director Shalanda Young. “This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”

“Security is the cornerstone of our efforts to build exceptional digital experiences for the American public,” noted Federal Chief Information Officer Clare Martorana. “Federal agency CIOs and IT leadership are leaning into this challenge, and the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”

“It was extremely important for us to work collaboratively with top experts across the government, industry and academia and build consensus around the highest value starting points for a defensible zero trust architecture,” added Federal Chief Information Security Officer Chris DeRusha. “This strategy will serve as the foundation for a paradigm shift in Federal cybersecurity and provide a model for others to follow.” 

“This strategy is a major step in our efforts to build a defensible and coherent approach to our federal cyber defenses,” said National Cyber Director Christopher Inglis. “We are not waiting to respond to the next cyber breach. Rather, this Administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society.”

“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” noted CISA Director Jen Easterly. “Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”

“OMB’s Zero Trust Strategy is an important milestone in the President’s effort to modernize the federal government’s cybersecurity to meet current threats, as outlined in Executive Order 14028,” added Deputy National Security Advisor for Cyber Anne Neuberger. “As OMB Acting Director Young noted, agency leadership plays a key role in making this strategy real, ensuring that agency CISOs have the support they need from their agencies’ financial and acquisition teams to execute this strategy.”

In September 2021, OMB released an initial draft of the strategy for public comment and received additional insights from cybersecurity professionals, non-profit organizations, and private industry that helped inform the final strategy.

President Biden signed the Executive Order in May 2021 to improve the nation’s cybersecurity and protect Federal Government networks in response to the mounting number of cyberattacks that have crippled U.S. critical infrastructure. 

A White House statement at the time noted that the Executive Order “makes a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”