Cybersecurity Executive Order
It has been a little over six months since the White House released their Cybersecurity Executive Order (EO) mandating, among other things, a move toward both the cloud and Zero Trust architectures for government agencies.
So, where do we stand?
In December, the Pentagon is expected to launch its Zero Trust office to prioritize all their network environments and set them on the course to implementing Zero Trust.
The Zero Trust model shifts focus from various authentication and access controls to tailored controls around sensitive data stores, applications, systems, and networks in its simplest form. These controls leverage identities, commission/decommission users, and broker their access based on defined roles. The baseline strategy is to make it much harder for users without permissions to gain access to your systems in the first place, along with preventing mal actors from moving around within the systems if access is gained.
Cybersecurity Executive Order – Your journey to zero trust migration starts now.
As you look toward your priorities for 2022 and beyond, your Zero Trust plan should be included. But there is no need to panic. Instead The draft strategy from the Office of Management and Budget (OMB) acknowledges that the shift to zero trust principles won’t happen overnight. They expect that “moving to a zero-trust architecture will be a multi-year journey for agencies, and the Federal government will learn and adjust as new technologies and practices emerge.”
While agencies will face the hurdles of implementing new security design principles and shifting to an active defense mindset, they should be given the time, space and guidance to overcome those hurdles. The OMB goes on to state, “Each agency is currently at a different stage of maturity and ensures flexibility and agility for implementing required actions over a defined time horizon. The strategy also seeks to achieve efficiencies for common needs by calling for government-wide shared services, where relevant.”
The move toward Zero Trust and the trend to greater efficiencies bring automation into the spotlight. From verifying trust in anything that tries to access your enterprise to performing the continuous diagnostics and monitoring (CDM) that keep your Zero Trust program on track, automating what you will help you manage risks and costs.
It’s time to increase cloud adoption and consider new applications.
Another crucial part of the Cybersecurity Executive Order (EO) was its emphasis on cloud adoption. “As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal government to prevent, detect, assess, and remediate cyber incidents,” the Cyber EO advises, with migration to cloud services incorporating zero trust architecture “as practicable.”
Federal agencies have already moved toward cloud adoption, but the EO wants the pace to quicken, acknowledging that every on-prem system is a candidate for moving to the cloud. Fortunately, they also realize that “improving FedRAMP through automation, resourcing, and incentivizing authorization to operate (ATO) reuse is pivotal to galvanizing cloud adoption and zero trust architectures.”
Your next steps moving into 2022.
Federal agencies are faced with determining the following vital steps to pursue on their transition to Zero Trust. First, Zero Trust includes building a resilient environment that meets DISA’s Security Technical Implementation Guides (STIGs) and Center for Internet Security benchmark guides. That means automation will be key to implementing Zero Trust and maintaining that stance over time. SteelCloud’s ConfigOS automation software is already helping agencies efficiently meet their security goals.
Brian Hajost, the COO of SteelCloud, has some advice to get started on your cybersecurity journey— “I would recommend that an agency begins with a gap analysis, including the good work that they have already accomplished. I would next prioritize addressing the gaps based on the cost, LOE, and the ability to implement changes in parallel with continuing to execute their mission.”
Hopefully, this blog post on the latest release of the Cybersecurity Executive Order (EO) should give you a good idea of where you are, where to start and where to go.