The Government Accountability Office says the U.S. Secret Service needs to update its zero trust cybersecurity implementation plan. On the whole however, the government watchdog acknowledged Secret Service’s progress in this area.
A zero trust architecture (ZTA) is a set of cybersecurity principles stating that organizations must verify everything that attempts to access their systems and services. The principle of zero trust is based on the concept that no actor operating outside or within an organization’s network should be trusted. ZTA embeds comprehensive security monitoring, granular risk-based access controls, and system security automation in a coordinated manner throughout all aspects of the infrastructure.
The federal government has begun efforts to use ZTA. Since 2020, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) have issued direction and guidance to federal agencies on the use of ZTA. In addition, the Cybersecurity and Infrastructure Security Agency in 2021 issued a draft roadmap on transition to ZTA, and the 2022 National Defense Authorization Act directed the Department of Defense to develop a zero trust strategy and a model architecture.
The U.S. Secret Service has developed an implementation plan for four milestones intended to support ZTA. The milestones are: perform a self-assessment of the agency’s IT environment against federal guidance; implement cloud service offerings from a vendor; achieve maturity in event logging; and transition the agency’s IT infrastructure to a more advanced internet protocol.
GAO found that Secret Service completed a self-assessment, and made progress in implementing cloud services and achieving maturity in event logging. In addition, the agency had a plan to implement a more advanced internet protocol, but had not met longstanding OMB requirements for public-facing systems. By transitioning to this protocol, GAO says the agency can leverage additional security features.
At the time of GAO’s performance audit (October 2021 to November 2022), Secret Service had additional efforts underway that could address actions specified in OMB’s zero trust strategy issued in January 2022. This strategy outlines actions that agencies are to take by the end of fiscal year 2024. However, GAO said Secret Service’s plan milestones do not cover all of OMB’s required actions because Secret Service developed its implementation plan before OMB issued the strategy. Nevertheless, the audit found that Secret Service either had efforts underway, or reported that it intended to perform activities that could cover the remaining actions.
It is also worth noting here that in March 2022, the Department of Homeland Security (DHS) developed its own ZTA implementation plan and submitted it to OMB. DHS plans to continue to build on its implementation plan per OMB requirements. For example, it intends to use an integrated project team to include components, such as Secret Service, in its planning processes to incorporate ZTA enterprise-wide.
NIST maintains that resources, applications, and services that are primarily cloud-based or primarily used by remote workers are good candidates for a ZTA approach. GAO found that Secret Service has begun to, and plans to further implement a cloud service provider’s offerings. For example, the agency had integrated its cloud-based authentication service with on-premises authentication processes to synchronize and manage user accounts across its IT environment. The agency also plans to deploy tools to leverage a cloud-based solution that should enable management of user and device identities using non-graphical user interfaces, such as scripts and command line tools. In addition, as of April 2022, Secret Service had plans in place to implement a component from its cloud services provider intended to support encryption of data at rest in the cloud.
In order to implement ZTA, agencies must…
Read More: GAO Checks Secret Service’s Progress on Zero Trust Architecture