News Insights: OMB announces it wants to move the U.S. Government toward a “zero trust” architecture for cybersecurity

The White House’s Office of Management and Budget (OMB) today announced that it wants to move the U.S. Government toward a “zero trust” architecture for cybersecurity Office of Management and Budget Releases Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture | The White House and M-22-09 Federal Zero Trust Strategy (whitehouse.gov).

News insights:

Tim Erlin, VP or strategy at Tripwire:

“The published memorandum represents a substantial step forward for cybersecurity across the US government. Moving the whole of government in a single, forward direction is incredibly difficult, and the efforts of OMB and all of the participating agencies should be applauded.

Implementing a Zero Trust Architecture is a proven way to reduce cybersecurity risk, but it is by no means an easy solution. The OMB memorandum lays out a set of foundational steps that agencies must take in order to begin this journey to Zero Trust, but it’s just a beginning.

It’s unfortunate that this memorandum doesn’t provide a clearer role for what NIST identifies as one of the key tenets for Zero Trust: integrity monitoring. Documents from both CISA and NIST include integrity monitoring as a key component of Zero Trust, but the OMB memorandum doesn’t include similar treatment. Integrity monitoring is foundational to a successful Zero Trust Architecture.

This memorandum includes substantial requirements and discussion around Endpoint Detection and Response (EDR), and in doing so, runs the risk of over-reliance on a specific technology. EDR is already evolving into Managed Detection and Response (MDR) and Extended Detection and Response (XDR). The cybersecurity technology landscape moves quickly, and there’s a real risk that agencies will find themselves required to implement and run a superseded capability.”