US military goes zero-trust on software

Federal agencies are continuing to put in place their cybersecurity strategies 18 months after the Biden Administration issued its executive order to strengthen the government's defenses.

Most recently, the Pentagon this week outlined its zero-trust strategy [PDF] roadmap while the Cybersecurity and Infrastructure Security Agency (CISA) updated its infrastructure resilience framework for guiding state, local, and tribal entities as they plan their cybersecurity efforts.

In addition, the Information Technology Industry Council (ITI), a tech trade group, is asking the White House's Office of Management and Budget (OMB) to clarify its recommendations for securing software development practices.

These are all outgrowths of the seeds that President Biden planted in May 2021 calling on both government agencies and private corporations to improve their capabilities in the face of growing ransomware threats, supply-chain attacks, and other digital dangers.

Zero-trust architectures – the idea any person, device, or application trying to access a network cannot be trusted until authenticated and verified – are a core element. The OBM in January issued a memo calling for all government departments to head in that direction. The Department of Defense's release of its strategy and roadmap is part of the effort.

The DoD wants to put a zero-trust framework fully in place by 2027 and the strategy encompasses four goals that include ensuring that personnel are aware of and trained for zero trust and that all information systems are covered by it. The Pentagon also wants to make sure all related technologies keep pace with industry innovation and that policies and funding dovetail with zero trust approaches.

• Federal bans aren't stopping US states from buying forbidden Chinese kit
• Pentagon is far too tight with its security bug bounties
• Top of the Pops: US authorities list the 20 hottest vulns that China's hackers love to hit
• US Department of Defense funds Google and SkyWater to enable open source chips

In its introduction of the strategy, the DoD noted that its systems are under "wide scale and persistent attack" from threat groups, particularly from China and other nation-states, that "often breach the Department's defensive perimeter and roam freely within our information systems. The Department must act now."

"This urgency means that our colleagues, our warfighters, and every member of DoD must adopt a Zero Trust mindset, regardless of whether they work in technology or cybersecurity or the Human Resource department," DoD CIO John Sherman wrote. "This 'never trust, always verify' mindset requires us to take responsibility for the security of our devices, applications, assets, and services."

The Pentagon had earlier released a zero-trust reference architecture and then a second version in June. Unveiling a strategy and roadmap is a key step forward, according to Steve Faehl, federal security CTO at Microsoft.

Faehl noted in a blog post that US government networks face almost half of all nation-state attacks that occur and that the DoD's update this week offers the department and IT partners – like Microsoft – better guidance that touch on 45 capabilities and 152 activities.

"While Zero Trust initiatives have been underway for years across various departments, this updated strategy seeks to unify efforts to achieve a strong, proven defensive posture against adversary tactics," he wrote.

For its part, CISA initially rolled out its Infrastructure Resiliency Planning Framework in 2021 to guide entities as they work to protect critical infrastructure. Now the agency is offering updates like the Datasets for Critical Infrastructure to help identify such environments, how best to bring together the various groups that have a stake in the efforts, and a revised way to better understand infrastructure systems.

In addition, CISA's framework now includes more information on the code droughts can have on critical infrastructure.

Also, in his nine-page November 21 letter [PDF], Gordon Bitko, ITI's executive vice president of policy for the public sector, pushing OBM Director Shalanda Young to clarify her September 14 memo [PDF] to federal agency heads outlining steps to protect against software supply chain attacks by ensuring secure software development practices.

The OBM memo directs agencies to make sure software makers conform to such requirements as being consistent with NIST guidelines and by demanding proof from the vendors that they are complying by asking for a software bill of materials before using the software.

In his letter, Bitko wrote that the memo, while an "important milestone," hinders software makers with "ambiguous terminology, confusing timelines, and the potential for regulatory fragmentation."

"We are concerned that these requests will be applied differently across the government, even within agencies," he wrote. "This creates ambiguity and may ultimately delay progress towards the government's important software security goals."

Bitko recommended several steps the OBM should take, including creating a single standard form that all agencies can use, adjusting the implementation timeline, and piloting parts of the plan before requiring them. ®