EO, OMB-M, CISO, CDO
Executive Order (EO) via The President of the U.S. (POTUS)
Office of Management and Budget (OMB) -- Memorandum (M)
CDO Council & CISO Council (created The Federal ZT Data Security Guide)
Executive Order (EO) via The President of the U.S. (POTUS)
Office of Management and Budget (OMB) -- Memorandum (M)
CDO Council & CISO Council (created The Federal ZT Data Security Guide)
AuthS -- EO (via POTUS) -- OMB-M
M-22-09: Federal Zero Trust Strategy.
BLUF: Moving the U.S. Government Toward ZT Cybersecurity Principles. (A Memorandum for The Heads of Executive Departments and Agencies).
GOAL: Set forth a ZT Strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024. For each pillar, show "Vision" statements and "Action" (aka "Objective") statements.
URL: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
EO 14028.
BLUF: (1) Improving the Nation's Cybersecurity by pushing agencies to adopt ZT Cybersecurity Principles and adjust their network architectures accordingly.
Align with:
M-23-02 (Migrate to PQC, see OMB) ;
QUOTES.
ZTA; PQC -- “The U.S. Government must take decisive steps to modernize its approach to cybersecurity, including advancing toward Zero Trust Architecture and adopting post-quantum cryptography.” — EO 14028
FCEB (Federal Civilian Executive Branch) -- Federal Agencies.
BLUF (2): (1) These are the civilian departments and independent agencies of the US government, excluding military and intelligence agencies. (2) There are 96 FCEB Agencies, encompassing a wide range of responsibilities including healthcare, education, transportation, energy, and foreign affairs.
Some examples of FCEB Agencies include: (5)
Department of Health and Human Services (HHS)
Department of Education (ED)
Department of Transportation (DOT)
Department of Energy (DOE)
National Aeronautics and Space Administration (NASA)
FCEB Agency Resources:
FCEB Agencies List: https://www.cisa.gov/news-events/directives/federal-civilian-executive-branch-agencies-list
Sector Risk Management Agencies: https://www.cisa.gov/news-events/directives/federal-civilian-executive-branch-agencies-list
CISA Federal Government: https://www.cisa.gov/
OMB (Office of Management and Budget). -- Via the EXECUTIVE OFFICE OF THE PRESIDENT.
Memorandum-21-31 (M-21-31):
BLUF -- M-21-31 is a memorandum issued by the Office of Management and Budget (OMB) in August 2021. It's titled "Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents."
Aim: To enhance the US government's ability to detect, investigate, and respond to cybersecurity incidents.
Benefits/Value:
Standardized event logging requirements: M-21-31 sets out specific requirements for federal agencies regarding the data they must collect in their logs. This standardization enables them to gather consistent data that can be easily analyzed and shared across agencies.
Maturity model: The memorandum also defines a maturity model with different tiers. This helps agencies track their progress in implementing the logging requirements.
Improved visibility: M-21-31 helps to improve visibility for agencies in their IT systems, both before and after a cyber incident. This allows for faster and more effective response measures.
ITIL Incident Management:
Process To Handle Incidents: (5)
Identification: Recognizing an unplanned interruption or reduction in service quality.
Logging: Recording the incident details in a service desk system.
Categorization: Classifying the incident by type and severity.
Prioritization: Assigning a priority based on urgency and business impact.
Resolution: Resolving the incident and restoring normal service.
OMB (Office of Management and Budget). -- Via the EXECUTIVE OFFICE OF THE PRESIDENT.
M-22-09 (M-22-09: Implemting a ZTA Strategy) -- (Mature Date: Jan 26, 2022):
BLUF: This memorandum sets forth a Federal ZTA Strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns.
PDF: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
Go here: ZeroTrust.Cyber.Gov -- For best practices, lessons learned, and additional OMB guidance on a jointly maintained. [M-22-09, Pg.5]
~ Note: The below topics are what is in this memorandum (M-22-09).
Order: This memo from the OMB mandates federal agencies to adopt Zero Trust. It outlines specific goals and timelines for federal agencies.
Value: If you're working with the US federal government or are in a sector with similar regulatory requirements, this document is crucial. It provides concrete steps and priorities.
OMB "Actons" to Federal Agencies --
Achieve ZT Security Goals (based on CISA's 5 Pillars) by the end of the Fiscal Year (FY) 2024. These goals are organized using the ZTMM developed by CISA. [M-22-09, Pg.4]
Action (30 days from the publication of this memorandum) -- Designate a ZT Strategy Implementation Lead (a person) for their organization. ~ Notes (2): (1) OMB will rely on these designated leads for government-wide coordination and engagement in planning and implementation efforts within each organization. (2) OMB and CISA will work with agencies throughout zero trust implementations to capture best practices, lessons learned, and additional agency guidance on a jointly maintained website at zerotrust.cyber.gov. [M-22-09, Pg.5]
Actions (Within 60 days) -- Agencies must develop their plans/roadmap to "Implement ZTA." Agencies must build upon those plans and submit to OMB and CISA as an "Implementation Plan" for FY22-FY24 for OMB concurrence.
Action: In addition: Submit a budget estimate for FY24. Agencies should internally source funding in FY22 and FY23 to achieve priority goals or seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund. // [M-22-09, Pg.4-5]
CISA's 5 Pillars with "Vision," & "Action (aka "Objectives")," Etc. -- (VMGO)
CISA's 5 Pillars: (1) Identity, (2) Devices, (3) Networks, (4) Applications and Workloads, and (5) Data.
(A) Pillar: Identity, [Pg.5] --
VISION -- Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
ACTIONS/OBJ. (3) -- (1) Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms. (2) Agencies must use strong MFA throughout their enterprise. (3) When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.
(B) Pillar: Devices, [Pg.10] --
VISION -- Agencies maintain a complete inventory of every device authorized and operated for official business and can prevent, detect, and respond to incidents on those devices.
ACTIONS/OBJ. (2) -- (1) Agencies must create reliable asset inventories through participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program. (2) Agencies must ensure their Endpoint Detection and Response (EDR) tools meet CISA’s technical requirements and are deployed widely.
(C) Pillar: Networks, [Pg.12] --
VISION -- Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
ACTIONS/OBJ. (3+) -- (1) Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. (2) Agencies must enforce HTTPS for all web and application program interface (API) traffic in their environment. (3) Agencies must develop a ZTA Plan that describes the agency’s approach to environmental isolation in consultation with CISA and submit it to OMB as part of their ZTA Plan. (+) CISA will work with FedRAMP to evaluate viable Government-wide solutions for encrypted email in transit and to make resulting recommendations to OMB.
(D) Pillar: Applications and Workloads, [Pg.16] --
VISION -- Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
ACTIONS/OBJ. (6+) -- (1) Agencies must operate dedicated application security testing programs (2) Agencies must utilize high-quality firms specializing in application security for independent third-party evaluation. ~ Note: CISA and GSA will work together to make the services of such firms available for rapid procurement. (3) Agencies must maintain an effective and welcoming public vulnerability disclosure program for their internet-accessible systems. (4) Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet. (5) Agencies must provide any non-.gov hostnames they use to CISA and GSA because (+) CISA and GSA will work together to provide agencies with data about their online applications and other assets. (6) Agencies should work toward employing immutable workloads when deploying services, especially in cloud-based infrastructure.
(E) Pillar: Data security, [Pg.20] --
VISION -- Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies take advantage of cloud security services and tools to discover, classify, and protect their sensitive data, and have implemented enterprise-wide logging and information sharing.
ACTIONS/OBJ. (4) -- (1) Federal Chief Data Officers (CDOs) and Chief Information Security Officers (CISOs) will create a joint committee to develop a Zero Trust Data Security Guide for agencies. (2) Agencies must implement initial automation of data categorization and security responses, focusing on tagging and managing access to sensitive documents. (3) Agencies must audit access to any data encrypted at rest in commercial cloud infrastructure. (4) Agencies must work with CISA to implement comprehensive logging and information-sharing capabilities, as described in OMB's M-21-31.
(F) OMB Policy Alignment (w/other OMB Policies related to ZTA). (4) -- [Pg.24]
BLUF: Moving to a ZTA involves changes to nearly every aspect of an enterprise’s security posture. As a result, this strategy necessarily touches on a large number of enterprise security practices, which can intersect with other existing OMB policies. This section describes how agencies should interpret other OMB memoranda whose requirements relate to the zero trust goals described within this memorandum.
OMB M-21-07 - IPv6 and Zero Trust. [Pg.24] -- Agencies are undergoing a transition to IPv6, as described in OMB Memorandum M-21-07, 34 while at the same time migrating to a zero trust architecture. Agencies should coordinate the implementation of these initiatives when they revisit their enterprise network infrastructure and policies.
OMB M-19-17 - PIV and non-PIV Authenticators. (2) [Pg.24-25] -- (1) For many agency systems, PIV (including Derived PIV) will be the simplest way to support phishing-resistant MFA requirements, and OMB Memorandum M-19-1735 requires agencies to use PIV credentials as the “primary” means of authentication used for Federal information systems. (2) However, PIV will not be a practical option for some information systems and situations. Agencies are permitted under current guidance to use phishing-resistant authenticators that do not yet support PIV or Derived PIV (such as FIDO2 and Web Authentication-based authenticators) to meet the requirements of this strategy.
OMB M-19-26 and OMB M-21-31 – Alternatives to Network Inspection. [Pg.25] -- Current OMB policies neither require nor prohibit inline decryption of enterprise network traffic. Agencies are expected to balance the depth of visibility they need with the risks presented by broadly trusted network inspection devices.
OMB M-15-13 – HTTPS for Internal Connections. (2) [Pg.25] -- (1) OMB Memorandum M-15-1338 requires agencies to encrypt HTTP traffic that travels over the public internet to or from a Federal system, using HTTPS and HTTP Strict Transport Security (HSTS). M-15-13 specifically exempts internal connections, stating, “[T]he use of HTTPS is encouraged on intranets, but not explicitly required.” An “intranet” is defined as “a computer network that is not directly reachable over the public internet.” (2) This memorandum expands the scope of M-15-13 to encompass these internal connections. Agencies should apply the guidance contained in OMB’s published compliance FAQ, at https://https.cio.gov/guide/, to their internal systems.
OMB (Office of Management and Budget). -- Via the EXECUTIVE OFFICE OF THE PRESIDENT.
BLUF: The "Quantum Computing Cybersecurity Preparedness Act" has directed OMB to prioritize the migration to PQC. (1) It discusses the threat quantum computers pose to current cryptographic systems. (2) Directs agencies to inventory their cryptographic systems and prioritize the most vulnerable ones. (3) It also directs agencies to submit an assessment of the funding required to migrate to post-quantum cryptography (PQC).
Solution: The NIST has developed new post-quantum encryption cryptographic standards designed to resist quantum computer attacks. They are as of 13 August 2024 (Link):
Federal Information Processing Standard (FIPS) 203, intended as the primary standard for general encryption. Among its advantages are comparatively small encryption keys that two parties can exchange easily, as well as its speed of operation. The standard is based on the CRYSTALS-Kyber algorithm, which has been renamed ML-KEM, short for Module-Lattice-Based Key-Encapsulation Mechanism.
FIPS 204, intended as the primary standard for protecting digital signatures. The standard uses the CRYSTALS-Dilithium algorithm, which has been renamed ML-DSA, short for Module-Lattice-Based Digital Signature Algorithm.
FIPS 205, also designed for digital signatures. The standard employs the Sphincs+ algorithm, which has been renamed SLH-DSA, short for Stateless Hash-Based Digital Signature Algorithm. The standard is based on a different math approach than ML-DSA, and it is intended as a backup method in case ML-DSA proves vulnerable.
PQCM Strategy. (4) -- Ref Document: See Desktop, HHS, PQC, OMB, "OMB_PQC-REPORT_FINAL_July2024"
A comprehensive and ongoing cryptographic inventory is a key baseline for successful migration to PQC
The threat of record-now-decrypt-later attacks means that the migration to PQC must start (now) well before a quantum computer capable of breaking current encryption is known to be operational
Agencies must prioritize systems (HVA) and data for PQC migration
Systems that will not be able to support PQC must be identified now.
Publications:
Guidance (OMB PDF): OMB M-23-02: Migrate to PQC.
The new guidance will come in August 2024.
XQ’s Zero Trust Data Supports M-23-02 Migration To PQC. To OMB M-23-02: Migrate to PQC.
Summary / Headline Breakdown:
OMB (Office of Management and Budget). -- Via the EXECUTIVE OFFICE OF THE PRESIDENT.
Publications:
Guidance (OMB PDF): OMB M-24-14: Cybersecurity Priorities for FY 2026 Budget.
References: OMB & National Cyber Director (NCD) // Pillars are from the National Cybersecurity Strategy (NCS).
Summary of M-24-14: -- BLUF (3): (1) This document outlines the US government's cybersecurity investment priorities for the 2026 fiscal year budget. It emphasizes five key areas (pillars by the National Cybersecurity Strategy (NCS) to strengthen the nation's cybersecurity posture. (2) Overall, this document highlights the importance of a multi-pronged approach to cybersecurity. (3) By investing in these areas, the US government aims to strengthen its defenses, disrupt adversaries, promote secure software development, and foster international cooperation.
NCS Pillar 1o5: Defend Critical Infrastructure. (4)
Modernize Federal Defenses: This includes implementing zero-trust architecture, prioritizing technology upgrades, and leveraging shared cybersecurity services. Agencies need to demonstrate progress through metrics like FISMA reporting.
Scale Public-Private Collaboration: Collaboration with critical infrastructure sectors is crucial. Agencies need to show how they're building capacity to manage risks and ensure resources are allocated for responsibilities outlined in National Security Memorandum 22.
Improve Baseline Cybersecurity Requirements: Regulatory agencies are encouraged to set minimum security and resilience requirements for critical infrastructure sectors in collaboration with stakeholders. Budgets should reflect sufficient funding for enforcement.
Improve Open Source Software Security and Sustainability: Agencies must ensure the secure use of open-source software and contribute to its maintenance. This includes processes for review, approval, and centralized management.
NCS Pillar 2o5: Disrupt and Dismantle Threat Actors. (1)
Counter Cybercrime, Defeat Adversaries: Agencies disrupting threat actors should prioritize resources for investigating cybercrimes, dismantling ransomware infrastructure, and participating in relevant task forces.
NCS Pillar 3o5: Shape Market Forces to Drive Security and Resilience. (2)
Secure Software Development: Agencies should only use software developed following secure software development practices as outlined in OMB memoranda. Budgets should reflect the capacity to meet these requirements.
Leverage Federal Grants and Incentives: Grant programs for infrastructure projects should include security and resilience requirements with agencies providing technical support.
NCS Pillar 4o5: Invest in a Resilient Future. (3)
Strengthen the Cyber Workforce: Agencies need to demonstrate how they're supporting the National Cyber Workforce and Education Strategy. This includes flexible hiring practices, skills-based assessments, and initiatives to attract and retain diverse talent.
Prepare for the Post-Quantum Future: Agencies should ensure budgets reflect the resources needed to transition critical systems to quantum-resistant cryptography as outlined in National Security Memorandum 10.
Secure the Technical Foundation of the Internet: Agencies should prioritize secure hardware and software by design. This includes utilizing secure coding practices, formal methods, and advancements in software understanding.
NCS Pillar 5o5: Forge International Partnerships to Pursue Shared Goals. (2)
Expand Global Cyber Capacity Building: Agencies need to ensure resources for international partnerships and collaborations to improve global cybersecurity.
Improve Global Supply Chain Security: Budgets should reflect efforts to improve the security and transparency of global supply chains for critical infrastructure.
OMB (Office of Management and Budget). -- Via the EXECUTIVE OFFICE OF THE PRESIDENT.
Publications:
Guidance (OMB PDF): OMB M-24-15: Modernizing the Federal Risk and Authorization Management Program (FedRAMP). -- 21 Pages.
OMB MAX --
BLUF: OMB MAX.gov is a government-wide suite of advanced collaboration, information sharing, data collection, publishing, business intelligence, and authentication tools and services used to facilitate cross-government collaboration and knowledge management. MAX.gov tools include MAX Community, MAX Collect, MAX Survey, MAX A-11, MAX Analytics, and MAX Authentication, among many others.
URL: https://portal.max.gov/home/sa/userHome // Access via james.gonzales@hhs.gov
AuthS -- CDO & CISO Council.
-- Created The Federal ZT Data Security Guide.
CISO & CDO Council -- (Federal ZT Data Security Guide).
CISO & CDO Council -- (Federal ZT Data Security Guide).
BLUF:
The Federal Zero Trust Data Security Guide was developed by federal government agencies. Specifically, it was created through a collaboration between 2 federal agencies: (1) Federal Chief Data Officers (CDO) Council and the (2) Federal Chief Information Security Officers (CISO) Council, with contributions from over 30 federal agencies and departments. (by Le Chat)
Mandated by OMB M-22-09. This guide is part of the U.S. federal government's efforts to enhance cybersecurity by adopting Zero Trust principles. (by Le Chat)
By incorporating the guidance from the Federal Zero Trust Data Security Guide, you can ensure that your Zero Trust implementation effectively protects your organization's most valuable asset: its data.
Description: This guide, developed by the Federal CDO Council and Federal CISO Council, focuses specifically on data security within a Zero Trust framework. It emphasizes that in Zero Trust, "data is the new perimeter," meaning that protecting the data itself is paramount.
Value: It provides practical guidance on how to identify, classify, and secure data assets within a ZTA. It covers topics like:
Data inventory and categorization
Data security risks and mitigation strategies
Identity, credential, and access management for data
Privacy considerations related to data security
How it complements the other AuthS:
NIST SP 800-207: While NIST 800-207 provides the foundational principles of Zero Trust, the Data Security Guide dives deeper into the specific aspects of securing data within that framework.
OMB M-22-09: This memo mandates Zero Trust for federal agencies, and the Data Security Guide helps agencies meet those requirements by providing concrete steps for data security.
CISA ZTMM: The CISA maturity model helps you assess your overall Zero Trust progress, and the Data Security Guide helps you specifically mature your data security practices.
Key Takeaways:
The Federal Zero Trust Data Security Guide is essential for any organization, especially those working with the federal government, that needs to prioritize data security within their Zero Trust implementation.
It provides a practical, actionable approach to securing data in a Zero Trust environment.
It works in conjunction with the other Zero Trust resources to provide a comprehensive framework for implementation.