Moving the U.S. Government Towards Zero Trust Cybersecurity Principles - Draft for Public Comment/Purpose

←

Moving the U.S. Government Towards Zero Trust Cybersecurity Principles - Draft for Public Comment (2021)
the Office of Management and Budget

Purpose

Goals

→

4288233Moving the U.S. Government Towards Zero Trust Cybersecurity Principles - Draft for Public Comment — Purpose2021the Office of Management and Budget

II.Purpose

In the current threat environment, the Federal Government can no longer depend on perimeter-based defenses to protect critical systems and data. Meeting this challenge will require a major paradigm shift in how Federal agencies approach cybersecurity.

As described in the Department of Defense Zero Trust Reference Architecture,^[1] “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

This strategy envisions a Federal zero trust architecture that:

Bolsters strong identity practices across Federal agencies;
Relies on encryption and application testing instead of perimeter security;
Recognizes every device and resource the Government has;
Supports intelligent automation of security actions; and
Enables safe and robust use of cloud services.

This strategy does not attempt to describe or prescribe a fully mature zero trust implementation. Nor does it discourage any agency from going beyond the actions described herein. The purpose of this strategy is to put all Federal agencies on a common roadmap by laying out the initial steps agencies must take to enable their journey toward a highly mature zero trust architecture. This recognizes that each agency is currently at a different state of maturity, and ensures flexibility and agility for implementing required actions over a defined time horizon. The strategy also seeks to achieve efficiencies for common needs by calling for government-wide shared services, where relevant. Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government. But as President Biden stated in EO 14028, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

↑ “Department of Defense (DOD) Zero Trust Reference Architecture,”
https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf

This work is in the public domain in the United States because it is a work of the United States federal government (see 17 U.S.C. 105).

Public domainPublic domainfalsefalse

[1] “Department of Defense (DOD) Zero Trust Reference Architecture,”
https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf

[1]