Federal OMB Zero Trust Memo Puts Agencies on Notice With Deadlines

In May 2021, the Biden administration, issued Executive Order 14028, Improving the Nation's Cybersecurity in the wake of the SolarWinds and Colonial Pipeline attacks. The order aimed to increase Cyber Resilience and reduce risk for government agencies. It directed them to develop, in a mere 60 days, a plan for implementing a Zero Trust Architecture. Writing in response to the order, Illumio Federal Director Mark Sincevich noted that agencies needed an operational roadmap to build and implement the architecture into federal systems.

That roadmap is what Memorandum M-22-09, released on January 26^th from the Office of Management and Budget (OMB), lays out — a federal Zero Trust Architecture strategy directive with firm deadlines.

It directs agencies to submit to OMB and CISA an implementation plan for FY22-FY24 within 60 days from issuance of the memo. The memo clearly describes what agencies are expected to achieve on a technical level, what needs to be done by when, and the budget planning required. Some milestones have a 12-month timeframe; others 24 months. The memo provides essential guidance on where agencies are expected to be in Zero Trust terms by the end of fiscal year 2024.

The memo offers a direct line of sight between what the OMB expects agencies to implement and what a platform or solution can deliver. There’s no need to take a leap of faith between an ill-defined requirement and what a vendor can offer.

The memo’s demands are ambitious. But agencies have nearly three years to advance their Zero Trust postures, and I imagine by December 2024, the majority will have either achieved a large percentage of what’s required or have a definitive plan for how to do so. However, the memo does not specify how progress will be measured and success gauged — and the definition and tracking of these metrics will be essential to driving adoption.

CISA’s five Zero Trust pillars

The strategic goals outlined in the memorandum align with the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model, which has five pillars:

1. Identity
2. Devices
3. Networks
4. Applications and Workloads
5. Data

As Mark noted in his blog, there’s no one technology that agencies can implement to achieve Zero Trust. But Illumio can contribute to and directly support many of the goals addressed in the memorandum. For example, under the identity pillar, the federal government should have “a complete inventory of every device that operates in authorized government use and can prevent, detect, and respond to incidents on these devices.”

Illumio can bolster an agency’s endpoint detection and response (EDR) capabilities by providing complete visibility with context to understand risk and relationships between devices. EDR tools can tell you what’s happening on an individual device. With Illumio's mapping capabilities, you can see the interactions and relationships between devices and have a clearer picture of what should be allowed and what should not.

And, of course, certain systems such as mainframes aren’t compatible with EDR tools because those tools are designed to be installed on an operating system. But Illumio can ingest flow data from those systems and represent those and their interactions on the same dependency map. And this detailed, real-time dependency map is an essential first step towards Zero Trust Segmentation.

Protecting networks and application workloads

The key phrase in the memorandum concerning networks asserts “agencies must move away from the practice of maintaining a broad enterprise-wide network that allows enhanced visibility or access to many distinct applications and enterprise functions.” The overall goal of the network section is to break down network perimeters into isolated environments. So, in other words: implement segmentation.

In terms of workloads, the memorandum directs agencies to make “applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel.” They must identify at least one internal-facing Federal Information Security Management Act (FISMA) Moderate application and make it fully operational and accessible over the public internet.

Taken together, here’s the message: You can’t assume you can trust anything on your network, and you need to protect every application as if everything else around it is untrusted. Instead, assume a breach mentality where any resource on your network could be compromised by a bad actor. What can you do to ensure it’s really difficult for them to meet their objectives?

And that is absolutely where Illumio and Zero Trust Segmentation come in. Zero Trust Segmentation, which includes host-based micro-segmentation, is foundational to a Zero Trust architecture for the purpose of precisely controlling lateral movement across the network.

Taking a host-based approach to building security allows for the granular control at the application and workload level the memo demands, something a network-based approach to segmentation is unable to provide in any straightforward manner. Illumio's Zero Trust Segmentation technology directly supports agencies in meeting the application and workload protection requirements set out in the memo.

Making internal applications safely accessible from the Internet

When you make an application that’s usually internal securely accessible from the Internet, that means anyone who successfully authenticates will have direct access to it on your internal network. But if that application is compromised, it shouldn’t mean your entire organization is compromised. You must adopt micro-segmentation around that application, so you limit the impact of a breach. Essentially each application needs a “micro-perimeter,” a Zero Trust "enclave." Illumio can be a key part of making that possible.

Risk-based visibility and monitoring

Of course, visibility and monitoring are essential components of any Zero Trust security strategy. Illumio's application dependency map allows you to observe traffic flows between applications and workloads across data centers and cloud platforms in real time, helping to understand dependencies and connectivity so that you can segment appropriately.

Illumio gathers a lot of useful information that monitoring platforms can leverage without the overhead — and often underestimated risk — of network inspection. For example, Illumio overlays third-party vulnerability data with the application dependency map for a risk-based approach to prioritizing security and patching decisions — which, if you look at CISA's Zero Trust Maturity Model, is largely about what you do first.

Integrating vulnerability and threat feed data enables risk-based visibility. Illumio ingests vulnerability scan data from your favorite scanner into our Policy Compute Engine (PCE). This provides vulnerability metadata about each workload you can overlay with a view of workload connectivity. From this, you get a quantitative exposure or risk score, making it easy to understand how much risk vulnerabilities are generating and which applications are connecting to vulnerable ports.

Typically, a vulnerability scanner has no idea how exposed a workload is. But that’s exactly what Illumio has. The two make a powerful combination. Let’s take an example.

The Log4j vulnerability allowed hackers to take control of millions of servers, shutting them down or forcing them to spew malware due to widely used faulty code. Log4j had a CVSS (Common Vulnerability Scoring System) score of 10.

But let’s imagine you only have one workload running Log4j and it's buried deep in your data center with few connections to other workloads. Meanwhile, another vulnerability with a score of 5 resides on 10 servers that are highly connected.

Now, if you just look at your vulnerability scanner data, you’d conclude that you had better patch the Log4j server immediately. But when you look at your actual exposure, you realize these 10 servers with vulnerability 5, which are densely connected, are the most exposed and should be patched first.

That’s what Illumio's risk-based visibility allows you to see. Vulnerability management often lacks prioritization, and Illumio helps prioritize the vulnerabilities that are most highly exposed and most likely to be exploited first.

Putting a Zero Trust Segmentation plan in place with Illumio

So, think about this in terms of what the OMB memo requires. In 60 days (the end of March), agencies need to have a Zero Trust Architecture implementation plan that details how they will achieve the memo's goals. This includes how they will budget for plan objectives that need completion by the end of FY 2024 and those that need completion in FY 2022 and FY 2023 — a daunting task made all the more arduous with the time constraints. The best way is to start small and expand over three years.

A large part of the 60-day plan needs to show how your agency can stop an adversary's lateral movement. This should be at the top of the priority list. Before you roll out Zero Trust Segmentation, you need a real-time application and workload dependency map.

You have to see what you want to segment. So, visibility is critical, along with locking down needlessly open ports. You can accomplish the latter with what Illumio calls a 'containment switch,' which is really a micro-segment around a particular port. Illumio can ingest vulnerability data to prioritize the riskiest ports, which reduces the attack vector. Your agency can also put forward a plan to micro-segment high-value assets (HVAs) like critical applications or workloads.

Here is what a three-year rollout could look like:

• FY22: Gain network visibility, roll out containment switches with vulnerability maps, micro-segment HVAs, and integrate with your SIEM
• FY23: Expand segmentation efforts to include larger areas of the agency (e.g., separate Production from Development), further integrate with the SIEM, add Enforcement Boundaries, and expand to classified networks
• FY24: Finish the micro-segmentation rollout for unclassified/classified networks, continue application-specific enforcement, and integrate into new server builds

Illumio Zero Trust Segmentation can enable every one of these outcomes. And parts of an agency can simultaneously be at different places on the rollout over the three-year period. Illumio has flexibility and, because it's decoupled from the network architecture, can scale to an unlimited number of workloads under management.

Illumio stops the lateral movement of malware and cyberattacks so your agency can accomplish its mission more effectively. For more information:

• Contact us to speak with our federal Zero Trust experts.
• Visit our federal solutions page to learn more about how Illumio helps agencies and commands build a Zero Trust architecture with risk-based visibility and Zero Trust Segmentation.