The US military renounces zero trust for software • The Register

Federal agencies continue to implement their cybersecurity strategies 18 months after the Biden administration issued its executive order to strengthen government defenses.

Most recently, the Pentagon outlined its Zero Trust strategy this week [PDF] Roadmap while the Cybersecurity and Infrastructure Security Agency (CISA) updated its infrastructure resilience framework to guide state, local and tribal entities in planning their cybersecurity efforts.

Additionally, the Information Technology Industry Council (ITI), a tech trade group, is asking the White House Office of Management and Budget (OMB) to clarify its recommendations for securing software development practices.

These are all sprouts of the seeds President Biden sown in May 2021, urging both government agencies and private companies to upgrade their capabilities in the face of growing ransomware threats, supply chain attacks, and other digital perils.

Zero trust architectures—the idea that people, devices, or applications attempting to access a network cannot be trusted until they are authenticated and verified—are a core element. The OBM released a memo in January urging all government agencies to move in this direction. The release of its strategy and roadmap by the Department of Defense is part of the effort.

The Department of Defense aims to fully implement a Zero Trust framework by 2027, and the strategy includes four goals, including ensuring that staff are aware of and trained on Zero Trust and that all information systems are covered by it. The Pentagon also wants to ensure that all associated technologies keep pace with industry innovation and that policies and funding are meshed with zero-trust approaches.

In launching the strategy, the Department of Defense noted that its systems are under “widespread and sustained attacks” from threat groups, particularly from China and other nation-states, who “often breach the Department’s line of defense and roam freely within our information systems.” The ministry must act now.”

“This urgency means that our colleagues, our combatants, and every member of the Department of Defense must adopt a Zero Trust mentality, whether they work in technology, cybersecurity, or human resources,” wrote DoD CIO John Sherman. “This ‘never trust, always verify’ mindset requires us to take responsibility for the security of our devices, applications, facilities and services.”

The Pentagon previously released a Zero Trust reference architecture and released a second version in June. According to Steve Faehl, Federal Security CTO at Microsoft, unveiling a strategy and roadmap is an important step forward.

Faehl noted in a blog post that U.S. government networks face nearly half of all nation-state attacks, and that this week’s DoD update provides the department and IT partners — like Microsoft — with better guidance that affects 45 skills and 152 activities .

“While zero trust initiatives have been ongoing across departments for years, this updated strategy seeks to unify efforts to achieve a strong, proven line of defense against adversary tactics,” he wrote.

For its part, CISA first launched its Infrastructure Resiliency Planning Framework in 2021 to guide organizations as they work to protect critical infrastructure. Now the agency is offering updates like the critical infrastructure datasets to help identify such environments, how best to bring together the diverse groups involved in the effort, and a revised methodology to better understand infrastructure systems.

Additionally, the CISA framework now includes more information about the code that droughts can have on critical infrastructure.

Also in his nine-page letter of November 21st [PDF]Gordon Bitko, ITI’s executive vice president of policy for the public sector, and urges OBM director Shalanda Young to clarify her Sept. 14 memo [PDF] to federal agency leaders, outlining steps to protect against attacks on the software supply chain by ensuring secure software development practices.

The OBM memo directs agencies to ensure software vendors meet such requirements as: B. compliance with NIST guidelines, and require vendors to demonstrate compliance by requiring a software BOM before using the software.

In his letter, Bitko wrote that while the memo is an “important milestone,” it hampers software vendors with “ambiguous terminology, confusing timelines, and the potential for regulatory fragmentation.”

“We are concerned that these requests are handled differently in government, even within agencies,” he wrote. “This creates ambiguity and may ultimately delay progress towards the government’s important software security goals.”

Bitko recommended several steps the OBM should take, including creating a single standard form that all agencies can use, adjusting the implementation timeline, and piloting parts of the plan before they are requested. ®