The Executive Order on Improving the Nation’s Cybersecurity (14028), directs federal agencies to advance security measures that significantly reduce the risk of successful cyberattacks against federal government digital infrastructure. On January 26, 2022, in support of Executive Order (EO) 14028, the Office of Management and Budget (OMB) released the federal Zero Trust strategy in M 22-09 Memorandum for Heads of Executive Departments and Agencies.
This article provides guidance on how to utilize InEvent solutions with centralized identity management system when implementing Zero Trust principles, as described in memorandum 22-09.
Memorandum 22-09 supports Zero Trust initiatives in federal agencies. It has regulatory guidance for federal cybersecurity and data privacy laws. The memo cites the US Department of Defense (DoD) Zero Trust Reference Architecture:
"The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction."
The memo identifies five core goals for federal agencies to reach, organized with the Cybersecurity Information Systems Architecture (CISA) Maturity Model. The CISA Zero Trust model describes five complementary areas of effort, or pillars:
The pillars intersect with:
Agencies employ centralized identity management systems that can be integrated with applications and common platforms.
Utilize central dashboards with common threats identified by InEvent security systems and share incident information with agencies, utilizing industry-recognized formats for incident response and remediation.
Employ enterprise-wide, strong multi-factor authentication (MFA) and encryption for data at rest and in transit.
Incorporate all appropriate NIST standards, including assword policies for compliance and regular rotation.
Agencies employ the principle of least privilege for deploying user accounts and access to resources.
Follow recommendations on requirements for logging events and retaining other relevant data within InEvent systems and networks, including types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods and cryptographic methods to ensure integrity.
M-22-09 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
Executive Order 14028, Improving the Nation's Cybersecurity
NIST Special Publication 800-207, Zero Trust Architecture