U.S. Government Announces Zero Trust Requirement for Federal Agencies

Federal agencies will be required to adopt ZT technology and policies by fiscal year 2024

On the heels of a White House memo published in mid-January, the Office of Management and Budget (OMB) has issued its second memo on cybersecurity in 2022, announcing a federal zero trust (ZT) strategy  that government agencies will be required to adopt. In May 2021, President Biden released an executive order  (EO) acknowledging the cybersecurity threats the U.S. faces, and the need for federal agencies to adopt policies and technologies that protect against the growing cyber threat. While the EO sought to establish a baseline for government agencies to implement security best practices, this latest memo is equal parts aspirational and tactical, establishing a vision for moving the U.S. government to a zero trust architecture (ZTA) and a timetable for implementation. This focus on establishing a stronger cybersecurity standard at the federal level is timely with reports that more than 1,200 cyber attacks occurred in 2021,  including breaches impacting supply chains  like in the case of Colonial Pipeline, and direct attacks against government agencies, like the email compromise  at the U.S. Federal Bureau of Investigation.

ZT is a security mindset

Often thought of in the context of a tech stack, ZT security is a paradigm shift and mindset that establishes that you can “trust no one” operating within a network, including internal employees, and that all activities need to be monitored and authenticated to ensure identity and behavior are not presenting a risk. This is a departure from the days where perimeter-based defenses like firewalls were in place to protect against external threats, but implicitly trusting those operating within the system. “It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction,” the memo states.

Next steps for government agencies in implementing ZT

Using the ZT model developed by the U.S. Cybersecurity & Infrastructure Security Agency at the U.S. Federal Bureau of Investigation. (CISA), government agencies will be required to achieve specific ZT goals by the end of the 2024 fiscal year that align with CISA’s five pillars of zero trust:

  • Identity

  • Devices

  • Networks

  • Applications and Workloads

  • Data

Within 30 days, agencies will be required to designate ZT leads within their organizations to coordinate and implement the new measures. And within 60 days, agencies will be required to further build out plans requested in the EO, providing documentation to OMB and CISA with budget estimates for implementation.

How PlurilockTM can support government agencies and enterprises in implementing a ZTA

Plurilock’s cutting-edge behavioral biometrics technology is uniquely positioned to support agencies and enterprises looking to transition to a ZTA. One of Plurilock’s core technology solutions, Plurilock DEFENDTM, is a continuous authentication platform that offers identity assurance and compromise detection, alerting IT security personnel to potential threats in real time.  The behavioral biometric signal generated by DEFEND has the capability to be used as a signaling platform that, when tied into authentication platforms, could support several objectives outlined in the memo. Below is a list of core elements of the newly established federal ZTA strategy and how Plurilock’s technology could be implemented in support of those objectives.

❯ Access control and identity management
When used as part of your authentication stack, DEFEND has the capability to confirm user identity continuously using behavioral biometric user profiles, as opposed to other solutions in the market that rely on static biometrics and complicated risk algorithms.
❯ Phishing-resistant MFA
Multi-factor authentication (MFA) is a critical element of a strong security infrastructure, but many MFA technologies on the market fail to resist phishing attacks or require the use of tokens/mobile devices that cannot be used in high-security government buildings. DEFEND’s behavioral biometric signal can be used as a highly phishing-resistant MFA option that does not require the use of a mobile device, one-time code, or push notifications. DEFEND can offer continuous authentication versus the intermittent authentication model used by today’s leading MFA providers.
❯ Device-level and identity authentication
Per the memo, agencies will be required to authorize users to access resources using at least one device-level authentication signal alongside an identity signal.DEFEND’s technology can be used to extend biometric authentication down to the process level, a feature unique to our DEFEND solution, called authenticated process chains.
❯ Risk-based decision making
Risk-based decision is also a critical component of a ZTA. Other solutions in the market calculate risk by looking at complex rules such as the user changing their credentials within a specific timeframe, whether the user recently accessed the system from a new intellectual property (IP), or if there was activity outside of their “normal” user behavior. DEFEND stands alone in its ability to determine risk level based on a users’ unique keyboard and pointer movement, continuously every 3-5 seconds.

Learn More

This latest memo is another step in the right direction as both enterprises and government entities make the transition to a ZTA. As a ZT leader, Plurilock’s behavioral biometrics and continuous authentication technology offers an innovative way for organizations to protect their technology ecosystem. For more information on zero trust, download our guide on Plurilock and the NIST 800-207 guidance, download our white paper Catching Up to the New Normal with Zero Trust, and download our authentication guide.

See Plurilock in action