New DoJ review urges zero trust adoption to fortify security posture

In a continued effort to improve the security posture of federal agencies and private organizations alike, the Department of Justice (DoJ) has released a full report that offers a 120-day review of their efforts to reduce cyberthreats. The DoJ’s evaluation underscores the critical importance of security posture as outlined by the Biden Administration in its Executive Order on cybersecurity, and it proposes steps for disrupting dangerous cyberthreats while fortifying defenses against inevitable attacks on critical infrastructures. 

The report was initiated by the U.S. Deputy Attorney General Lisa Monaco, who noted the importance of this approach in her keynote address at the 2022 International Conference on Cyber Security (ICCS): “At the Justice Department, keeping the American people safe from all threats, foreign and domestic, is an essential part of our mission. That is why, over the last year, we have been focusing on attacking cyberthreats from every angle. We are taking a proactive approach to the threat.”

The DoJ’s formal review is clear: cross-agency collaboration is key. It stresses that agencies need to work together at the federal, state, local, tribal, and territorial levels – while also including the private sector in their information and knowledge-sharing so that the nation’s entire infrastructure is more secure every day. And with upwards of 1.9 billion web applications in existence today, many of which are used throughout the government, getting a handle on the nation’s security posture is mission-critical. 

Urging greater control for improved security posture

The report, which echoes guidance from a previous memorandum by the Office of Management and Budget (M-22-09), examines security needs through the purview of a zero trust approach and proposes significant steps organizations and agencies can take to improve enterprise identity and access controls. With this paradigm shift in how agencies approach security, they’ll have greater control over the verification of every user, device, and web application to keep infrastructures safe. 

The report notes that the following strategies will help workers within the federal government:

• Maintain the necessary access needed to do individual jobs effectively while also protecting users from sophisticated phishing attacks.
• Monitor and track devices used by Federal staff to gain more control over access to internal tools and processes. 
• Isolate agency systems and encrypt their network traffic for added security. 
• Test enterprise applications internally and externally. 
• Partner with relevant teams to set security rules that automatically detect and block attempts to access sensitive information. 

As noted in their formal review, the DoJ stresses that shifting to zero trust architecture isn’t something that should be done quickly, nor is it without challenges. However, if agencies follow the strategy and agree on a path toward implementation, strengthening security posture throughout the federal enterprise is achievable.

A clear path forward with zero trust architecture 

The report and its guidelines come on the tailwind of news that the Justice Department seized and forfeited about $500,000 from ransomware attackers in North Korea, which serves as an example of their approach yielding real-world results – and a word of caution for attacks to come.

Agencies are already making moves: in a recent Federal News Network Strategy Session, which included Invicti’s Federal Sales Manager Ted Rutsch and Chief Information Security Officer for the Department of Navy Tony Plater, we discussed the Navy’s already-in-progress transition to zero trust and how critical it is to adopt a full cultural shift.

Plater elaborated, “Zero trust is not a single tool. It’s not a product but a collection of capabilities. It is a culture that we are espousing while working together closely within the DoN, with a North Star of being scalable, resilient, auditable, and having a defensible architecture.”

How should other branches of the government and federal agencies begin following similar guidelines? First, they must focus on partnering with neighboring agencies to exchange information, as well as start building sound channels of communication for awareness and adoption of new processes and tools. That includes deploying security guidelines similar to an existing playbook from the DoJ, which outlines best practices for victim response and reporting cyberincidents. Ultimately, they must also work to identify critical assets and approach severe vulnerabilities strategically, as directed by last year’s Executive Order.

Next steps: deadlines for formal plans and program leads

According to memorandum M-22-09, agencies are required to achieve certain goals around zero trust by the end of the fiscal year 2024. Taken together, the goals ladder up to the Zero Trust Maturity Model developed by the Cybersecurity and Infrastructure Security Agency (CISA). Under this framework, agencies will work towards securing five key pillars (Identity, Devices, Networks, Applications and Workloads, and Data) through the three main themes of Visibility and Analytics, Automation and Orchestration, and Governance.

As noted in the new report, within 60 days agencies must develop and build upon plans for formally implementing zero trust architecture and encouraging adoption. Within 30 days from publication of the report, agencies must designate and identify an implementation lead within their organization who can help spearhead and carry out their strategy. With these wheels in motion, agencies have the resources they need to more effectively safeguard their assets against future cyberthreats while reducing risk across the board.

If you’re ready to learn more about what goes into an effective zero trust approach to application security, download our white paper for actionable guidance that will help you energize and fortify your cybersecurity efforts.