Why is the Federal Zero Trust Memo Important and How Does it Impact Identity?

On January 26th, 2022, the Office of Management and Budget (OMB) issued Memorandum (memo) M-22-09: “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” to the Federal Government. The OMB issued this memo, which we’ll also refer to as “the Zero Trust memo,” in support of President Biden’s Executive Order (EO) 14028: “Improving the Nation’s Cybersecurity,” which mandated the adoption of Zero Trust after a series of cyberattacks on the Federal Government and critical infrastructure.

So, what does this all mean, and why is it important to understand?

While M-22-09 isn’t the first piece of Zero Trust guidance issued to the Federal Government, it is certainly the most significant to date. This is the first piece of true policy that not only advises on best practices for implementing Zero Trust, but also mandates specific strategic goals and actions that agencies must satisfy—all by the end of Federal fiscal year 2024. Of note, one of these strategic goals focuses on identity.

Continue reading to learn:

1. Who the Zero Trust memo applies to

2. Key actions that are part of the strategic identity goal, and

3. How to complete those actions

Before diving into the Zero Trust memo, it’s worth taking a step back to understand who exactly it’s relevant to.

To start, those familiar with OMB memos know that typically they only apply to Federal Civilian Executive Branch (FCEB) agencies. But, a memo released just one week before M-22-09—NSM-8—changed who would need to follow any future memos surrounding the EO. And, because the EO had initially stated that any impacted agencies must also follow subsequent policies issued in support of the EO, M-22-09—released shortly after NSM-8—now applies to more than just the FCEB.

Let’s take a look at that first memo to understand why.

On January 19, 2022—just seven days before the release of M-22-09—President Bident signed National Security Memorandum-8 (NSM-8): “Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.” It was a preemptive memo that required the Department of Defense (DoD) and Intelligence Community (IC) to follow the EO in addition to FCEB agencies. This ultimately impacted who would need to follow future policies, which incidentally meant a larger portion of the Federal Government would need to start paying attention. Therefore, now FCEBs, the DoD and IC all need to follow M-22-09.

And, if you’re in the private sector, don’t stop reading here. Government policy certainly influences practices in the private sector. And if you’re a government contractor, you know all too well that there are times you get pulled into policy requirements (here’s looking at you, CMMC 2.0).

Ultimately, this means everyone should be aware of M-22-09 and its requirements, whether or not you’re a Federal agency.

M-22-09 mandates actions that must be completed by all those agencies who are now included in the EO. These actions each fall under the umbrella of five “strategic goals” that align to each of the pillars in the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model. The pillars are:

All of these pillars are important for agencies to follow. But, as firm believers that identity is the foundation of Zero Trust here at Ping, we’re going to focus on the strategic goal associated with that first pillar: identity. 

More specifically, in M-22-09, the goal states:

As part of meeting this goal, agencies must complete three key actions:

• Action 1: “Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.”

• Action 2: “Agencies must use strong MFA throughout the enterprise.”

• Action 3: “When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.”

The OMB expands upon all of these actions, so there’s a lot more to each one of them than simply the bullets above. Below, we’ll dive into the specifics and review what the actions are looking to accomplish, how to meet them, and how they’ll benefit your agency.

Action 1: “Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms.”

Identity Silos Stand in the Way of Risk-Based Access

The first action targets a foundational issue of Federal Government IT environments: identity silos.

Today, many agencies are faced with decentralized and fragmented identity databases and administration processes due to traditional identity, credential, and access management (ICAM) approaches that required agencies to build distinct identity systems to support different “levels of assurance.” As a result, many of today’s government IT environments look like this:

Whereas we want them to look like this:

In addition to being visually unappealing, fragmented identity environments prevent agencies from establishing:

• Holistic visibility into user activities and permissions.

• Consistent authentication practices to verify users attempting to access government resources.

• Reliable accountability into what accounts have been provisioned and where they may still be active.

And as the memo notes, these must be in place for agencies to implement risk-based (i.e., Zero Trust) access.

One example that demonstrates the repercussions of identity silos (simply beyond the extra administrative burden) is the Colonial Pipeline ransomware attack. If you aren’t able to reliably manage and track provisioned accounts, they could accidentally remain active beyond their intended purpose. Such was the case in the Colonial Pipeline attack, where a deprecated administrative account was still in an active state on a legacy system.

Break Down Silos With a Single Identity Control Plane

Employing a centralized identity management system allows you to consolidate identity data storage and authentication systems and bring them all into one identity control plane. This unifies the previously fragmented systems so that you can:

• Extend the use of existing authenticators to all resources.

• Create and maintain master user records that store all metadata.

• Establish and manage agency-wide single sign-on (SSO).

• Simplify administration, and more quickly respond to emerging threats.

This enables the visibility, interoperability and consistency needed to apply risk-based access across your environment. And keep in mind: the OMB is specifically looking for agencies to implement standards-based identity management systems. Technologies built on open standards are even easier to integrate so that you’re better equipped to break down identity silos, improve interoperability, and adapt to future IT security needs.

Action 2: “Agencies must use strong MFA throughout the enterprise.”

It’s Time for Phishing-Susceptible MFA to Go

The OMB clarifies that by “strong MFA,” they mean “phishing-resistant MFA.” The OMB also specifically highlights PKI-based authenticators as not only a phishing-resistant form of MFA, but also “the simplest way” for many agencies to satisfy this action.

This is partially because PKI authenticators should already be the principal form of authentication in use as required by M-19-17: “Enabling Mission Delivery through Improved Identity, Credential, and Access Management.” Afterall, the primary PKI-based authenticators in use—PIV and CAC smart cards—already have more than two decades worth of innovation and investment, so why not take advantage of all of that enterprise security goodness?

The reality is although PIV/CAC smart cards may be the simplest option for government agencies, that doesn’t necessarily make it an easy option. Remember those silos we talked about before? They’re preventing a lot of agencies from integrating their smart cards across their entire environment.

This is particularly important as Action 2 emphasizes the need to integrate MFA directly at the application levels accessed by Federal staff, contractors, and partners, as opposed to relying on more traditional network-based authentication approaches (i.e., VPNs). This move away from network-based authentication is necessary to establish a Zero Trust environment, and it allows agencies to tighten up security perimeters around applications. This has become increasingly important as more and more sensitive applications are moved to the cloud.

So what’s standing in the way of broader smart card use? Decentralized identity management. Many of the applications found in Federal IT environments lack support for the X. 509 certificates that smart cards use to help verify user identities. This means that before the application is able to accept a smart card, it must be enabled to support these certificates. However, without a way to centralize identity management, developers must enable support on an individual level—manually re-configuring every single application before it can accept a smart card.

This is not only an incredible administrative burden, but also an unrealistic goal for Federal agencies to accomplish. Therefore, it shouldn’t be a surprise to learn that many applications in Federal environments still cannot accept smart cards. So agencies’ authentication flows looks like this:

Extend the Use of Phishing-Resistant MFA with an Authentication Hub

To overcome this challenge, you can employ a modern authentication (or federation) hub that:

• Provides native X. 509 support

• Enables the use of standards-based protocols like OpenID Connect (OIDC) and Security Assertion Markup Language (SAML)

• Plugs into the centralized identity management systems required in Action 1

This allows you to:

• Remove the need for individual applications to support X. 509 certificates

• Enable PKI authentication to legacy applications (that may only support simple username and password authentication) and SaaS applications

• Reduce the number of times an individual is prompted to authenticate with their smart card

The result is modern single sign-on (SSO), in which the authentication hub extends its certificate support to all applications the agency has integrated into the system. With this, you can establish a new, more efficient authentication process.

For example, instead of logging directly into an application, the user can log into the authentication hub with their smart card. The hub uses its support for X. 509 certificates to verify the identity associated with the user’s smart card on behalf of the app. The app accepts this verification and grants access to the user. So now, your authentication flow looks like this:

And voilà! You can now use phishing-resistant PKI-based authenticators to log into any application, whether or not the application itself supports X. 509 certificates. With this, you get the best of both worlds: you can leverage one of the strongest enterprise-grade authenticators in a way that’s easy for administrators to manage.

Action 3: “When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.”

Role-Based Access Control is No Longer Enough

This last action is about facilitating the transition from coarse-grained, role-based access control (RBAC) to fine-grained, attribute-based access control (ABAC).

Historically, authorization has been a very inflexible process. A user either received access or not based on their role in the organization, hence the phrase RBAC. The problem with this approach is that it doesn’t leave any room for taking into consideration the nuances of individual authorization requests.

For example, just because somebody works in the HR department, that doesn’t mean you’d want them to automatically be authorized for full access under every condition to every HR-related system. This applies to any department, but especially those dealing with sensitive data and systems. But, if you can only grant access based on an individual’s role, that’s what will usually happen.

M-22-09 is a significant step forward in the Federal Government’s Zero Trust journey. Its broad reach and specific requirements demonstrate that Zero Trust is truly no longer an option for government entities. And with the deadline to show compliance in the near future, you need to get your Zero Trust projects off the ground as soon as possible.