Last updated on March 26, 2024
The White House announced a new federal strategy that mandates federal agencies to adopt Zero Trust. The Federal Zero Trust Strategy is a follow-up to the seminal Executive Order on Cybersecurity that President Biden signed last May following a series of critical data breaches and ransomware attacks such as the Colonial Pipeline ransomware attack.
A New Federal Approach to Security
The Federal Zero Trust Strategy of the U.S. Government is a concrete response to the growing menace of complex cyberattacks. Conventional perimeter-based defenses prove insufficient in protecting critical infrastructure and data against advanced modern threats. Cybersecurity experts discover new vulnerabilities each month, often only after they were first found and put into use by hackers. A new vulnerability found in a conventional infrastructure gives malicious attackers an opening wedge into a system.
The main goal of the new strategy is to make federal agencies adopt the Zero Trust model, a security approach popular among commercial companies and known for its ‘never trust, always verify’ maxim. Zero Trust assumes that no user, device, or application can be inherently trusted. Continuous security verification is required to ensure that the system has not been compromised and accounts are intact.
The government-wide endeavor to adopt Zero Trust is closely linked to the effort to realize the security benefits of cloud-based infrastructure while simultaneously addressing on-premises and hybrid systems. Agencies seeking to abide by the new requirements will have to fit identity access management and cloud network architecture into their existing IT infrastructure.
Multi-Factor Authentication (MFA) To Be Enforced
Deployment of Multi-Factor Authentication (MFA) will be a significant step in federal agencies’ transition to the Zero Trust approach. The federal strategy recognizes that compromising user accounts is a common attack vector and strong authentication is a necessary component of a zero-trust architecture. Zero Trust calls for stronger identity management and security controls. These challenges can be accomplished with Multi-Factor Authentication. As a result, all agencies must integrate and enforce MFA across applications that allow access to federal systems.
In Zero Trust, a user who approaches an application from a particular network should not be considered more trustworthy than another user approaching the application from the public internet. Consequently, the Federal Zero Trust Strategy emphasizes that MFA should be deployed on the application level and not on underlying networks such as Virtual Private Networks (VPNs), thus proving that the Zero Trust approach principles will also apply to Multi-Factor Authentication.
Phishing-Resistant MFA Will Be Required
An important requirement regarding Multi-Factor Authentication (MFA) is that agencies must require their users to use a phishing-resistant authentication method to access agency-hosted accounts. Examples of such phishing-resistant authentication methods include PIV Smart Cards that implement the Federal Government’s Personal Identity Verification (PIV) standard and security keys that use the World Wide Web Consortium (W3C)’s open “Web Authentication” standard. It is believed that this requirement will mitigate the scale and impact of the so-called phishing attacks, which involve users being tricked into providing some confidential information to attackers. For example, malicious actors may trick a person into clicking a link. Such a link can be sent via email and redirect the unsuspecting victim to a bogus page that looks like a carbon copy of another site. After the victim provides their login information on the fake page, the hacker hijacks user credentials and uses them on the legitimate page to gain access to the victim’s account.
Phishing-resistant authentication methods prevent phishing attacks by storing the domain name on the authenticator (for example, on a WebAuthn Security Key). Typical phishing attacks redirect the user to a fake website where they enter their credentials. Phishing-resistant authenticators eliminate the risk of human error by verifying the domain name for the user. If the domain name is not confirmed, the authentication process is terminated immediately and access is denied.
Zero Trust and MFA Are The Future of Cybersecurity
The Zero Trust approach to cybersecurity will allow agencies to quickly detect, isolate, and respond to modern threats. The shift to the new cybersecurity paradigm is directly aligned with the goals for agencies enumerated in the same federal strategy. Adopting Zero Trust will bolster security resilience and strengthen federal cyber defenses. Federal agencies are required to put the strategy in place by the end of Fiscal Year 2024.
“This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.” said Acting OMB Director Shalanda Young.
Here at Rublon, we believe that Multi-Factor Authentication (MFA) combined with the principles of Zero Trust is the future of cybersecurity. Today’s cyberattacks are unrelenting. Hackers try to use every way to access, steal, and destroy data or otherwise harm companies. Only an immediate and decisive action of adopting Zero Trust and Multi-Factor Authentication (MFA) in your company can stop them. Federal agencies have already started the process of adoption. Now is the time for commercial companies who still have not adopted Zero Trust to do that too.
