On January 26, 2022, the Office of Management and Budget (OMB) issued a strategy to move the US government toward a zero trust approach to cybersecurity. The strategy represents the next step in the Biden Administration delivering on the President’s May Executive Order (EO), Improving the Nation’s Cybersecurity. The EO aimed to improve the state of cybersecurity in the country, which included requiring federal agencies to develop their plans for implementing zero trust architectures. The OMB’s new guidance requires agencies to fold new provisions into the plans they were already developing.
The President’s EO defines zero trust as a security concept that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
Zero Trust architecture is a method of designing computer networks and data centers in which granular, rule-based policies strictly control access to network resources. In addition, zero trust architecture treats every incoming connection as a potential threat until proven otherwise.
The OMB requires all agencies to meet five specific zero trust security goals as laid out in the Cybersecurity and Infrastructure Security Agency’s (CISA) zero trust maturity model. The agencies must meet the following goals:
- Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use and can prevent, detect, and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data and have implemented enterprise-wide logging and information sharing.
The OMB gives agencies a narrow timeline to meet the above goals. Agencies have until February 26, 2022 to designate a zero trust strategy implementation lead and until March 26, 2022 to incorporate the memo’s requirements into their original plans laid out in the President’s EO. All agencies must achieve the five zero trust goals by the end of the Federal Fiscal Year 2024.
How Acronis SCS Can Help Agencies Meet These EO Requirements
At Acronis SCS, we understand the government’s unique security and usability needs. As such, we have designed a tailored, tested, and trusted backup software purpose-built for sensitive environments like those within the DoD and civilian agencies. Our backup and recovery software Acronis SCS Cyber Backup 12.5 Hardened Edition ensures data and systems are protected no matter your mix of legacy and modern systems, proprietary and non-proprietary applications, or dissimilar hardware requirements.
Our hardened backup solution enables a full system image recovery via the network and optical media without the need to deploy an agent. Plus, this software includes built-in, AI-based protection against ransomware, called Active Protection. A comprehensive suite of data sharing products equips you with the tools you need to securely, efficiently, and affordably access, share, sync, and store files at the edge – all critical tasks for timely decision-making and employee productivity.
With zero integration or outbound connections to online services, certified high-grade encryption and hardware-based random number generation for maximum entropy, built-in anti-ransomware protection, and extensive testing via the FIPS 140-2, Common Criteria, and DoDIN APL certification processes, this game-changing solution radically reduces your network’s attack surface.
Our own experience can shed light on your Zero Trust journey. At Acronis SCS, we not only built a zero trust environment, but we’ve also made the Acronis SCS Cyber Backup 12.5 Hardened Edition zero trust, too.