The Office of Management and Budget (“OMB”) released its draft Federal Zero Trust Strategy under President Biden’s Executive Order on Improving the Nation’s Cybersecurity (No. 14028) (discussed previously here and here) and is seeking comments on the draft by September 21, 2021.  Relatedly, the Cybersecurity and Infrastructure Security Agency (“CISA”) is seeking comments on its recently released Zero Trust Maturity Model and Cloud Security Technical Reference Architecture (“TRA”), both aimed at moving the United States government toward a zero trust architecture. The public comment period for CISA’s materials currently is open and scheduled to conclude on October 1, 2021.  Below we discuss key provisions of each, reminding contractors to stay vigilant of the ever-evolving cybersecurity regulations in the U.S.

OMB’s Federal Zero Trust Strategy

Citing the Executive Order, OMB calls for “a major paradigm shift” in the Federal government’s approach to cybersecurity and requires that agencies meet specific goals for zero trust by the end of Fiscal Year 2024.  These goals are to be based on pillars in CISA’s Zero Trust Maturity Model (described below), which include more robust multi-factor authentication, better management of devices, and taking advantage of cloud-based security services.  Agencies must designate a “zero trust architecture implementation lead” and submit to OMB implementation plans in accordance with the OMB memorandum.

Comments on this publication are due by September 21, 2021, and information on submitting comments can be found here.

CISA’s Zero Trust Maturity Model

CISA’s Zero Trust Maturity Model, released per section 3(b)(ii) of the Executive Order, is meant to assist agencies in the development of zero trust strategies and implementation plans.  For those not immersed in cybersecurity developments, “zero trust” is a security principle dictating that agencies and organizations should not trust anyone or anything outside or inside of their networks and systems, and should implement security measures to verify any system access.

The CISA Zero Trust Maturity Model is comprised of five pillars (Identity, Device, Network/Environment, Application Workload, and Data) and three cross-cutting capabilities (Visibility and Analytics, Automation and Orchestration, and Governance), based upon the foundations of zero trust.  This guidance further provides examples of a traditional, advanced, and optimal zero trust architecture to identify an agency’s maturity for each zero trust technology pillar.

Though the goal of the Maturity Model is to provide agencies with a roadmap and resources to achieve an optimal zero trust environment, CISA is seeking feedback from agencies, industry, and academia focused on the following key questions:

  • Has this document been helpful to your agency as you prepared your Cyber Executive Order zero trust implementation plan? If not, what guidance could be added?
  • Does your agency have suggestions on how better to delineate the 5 pillars from the 3 crosscutting capabilities – Visibility and Analytics, Automation and Orchestration, and Governance?
  • Which pillars do you think are the best defined and which pillars need help?
  • How could the Zero Trust Maturity Model better support your agency’s Cyber Executive Order zero trust implementation plan?

Comments on CISA’s Zero Trust Maturity Model document are due October 1, 2021, and information on submitting comments can be found here.

CISA’s Cloud Security TRA

CISA developed the Cloud Security TRA in accordance with Section 3(c)(ii) of the Executive Order through a multi-agency effort with the United States Digital Service and the Federal Risk and Authorization Management Program (“FedRAMP”).  The TRA provides guidance for agencies to apply when adopting cloud technology and migrating to the cloud securely.  This technical guidance aims to allow the Federal Government to identify, detect, protect, respond, and recover from cyber incidents, while improving cybersecurity as a whole.

Comments on the TRA may be submitted by agencies, industry, and academia. CISA seeks feedback on the following key questions:

  • Overall
    • The document strikes a balance between governance, operations, and security. Are there critical areas that should be expanded?
  • Section 3: Shared Services
    • Does the updated Authorization Boundary definition meet your organization’s needs?
  • Section 4: Cloud Migration
    • What additional scenarios could be incorporated?
  • Section 5: Cloud Security Posture Management
    • Does the definition of Cloud Security Posture Management in Section 5.1 align with and support your needs?
    • Section 5.2 outlines seven outcomes. Are there other outcomes to be considered?
    • Are the other capabilities of CSPM that should be highlighted in section 5.3?

The comment period for the Cloud Security TRA closes on October 1, 2021, and information on submitting comments can be found here.

Conclusion

While the OMB and CISA publications are aimed at agencies and focus on strategies for the Federal Government, the principles and concepts included in the materials eventually may be rolled out to contractors and represent currently accepted best practices.  Contractors should pay close attention both to these and other materials released under the Cybersecurity Executive Order (under which we will see a variety of new proposed Federal Acquisition Regulation (FAR) rules in the coming weeks).  The comment periods here provide a key opportunity for the private sector to shape Federal Government policy and requirements in the cybersecurity space.

*Lillia Damalouji is a law clerk in the firm’s Washington, D.C. office.