The White House (symbolic; source: WikiMedia/Zach Rudisin; license: CC BY-SA 3.0)

Moving the U.S. Government Toward Zero Trust Cybersecurity Principles

by

In this directive, specifications are made for the IT security of all U.S. authorities. The required measures sound quite sensible:

  • Enterprise-wide identity systems
  • Phishing-resistant MFA (WebAuthn, FIDO2, etc.)
  • Attribute-based access control (ABAC)
  • Endpoint Detection and Response (EDR)
  • Isolation according to NIST SP 800-207
  • Vulnerability disclosure programs
  • etc. pp.

The departure from old paradigms such as VPN, regular password changes or role-based access control (RBAC) is surprising at first glance but logical from Zero Trust’s point of view. The timelines (60 days to 1 year) for initial actions also sound more than ambitious. The target by the end of FY 2024 is not theoretically impossible to achieve, but given the number of agencies involved, it is a lot of work and coordination.

Similar approaches are already being taken in many companies, but there are many laggards there as well. The fact that this document aims to get the public sector to move forward with flags flying sounds good, at least in theory.

I think that stronger security requirements will also become more and more prevalent in our country. I have a hard time estimating what is wishful thinking and what will be feasible in the new U.S. directive. Certainly, the old directive has not yet been fully implemented and the struggle with legacy is (hopefully) not a purely German problem. It would also be interesting to see how this directive is actually implemented in the end, since the necessary know-how and resources do not grow on trees.

It would be interesting to know whether the BSI will make similarly stringent specifications in the future. In theory, the BSI IT-Grundschutz already covers many of the content-related topics of Zero Trust, but not with the same stringency. For example, the BSI IT-Grundschutz Compendium 2022 calls for multi-factor authentication for privileged accounts, or remote maintenance, or for high protection requirements. In Zero Trust, MFA is more or less standard for everyone. I think if we could achieve the level of protection that we are aiming for in this directive for our KRITS alone, we would be a big step ahead.

So there is still a lot to do in the future, but it could be worth it.

Translated with www.DeepL.com/Translator (free version)