This post is also available in: heעברית (Hebrew)

In a move aimed at reducing the risk of cyberattacks against US government infrastructure, the White House instructed federal agencies to beef up cybersecurity. A strategy for implementing zero-trust cybersecurity across the federal government’s digital infrastructure was announced by the White House on January 26. The strategy provides a roadmap for how federal agencies should go about implementing zero-trust security.

Zero-trust security is a more effective approach to protecting networks from hacking attempts than the perimeter-based strategy that organizations have historically used. It’s being increasingly adopted across both the public and private sectors.

The zero-trust security model specifies that all systems, both inside and outside a network, must meet the same stringent cybersecurity requirements. 

According to the memorandum, shifting towards a zero-trust architecture will require the implementation of stronger enterprise identity and access controls, including the more widespread use of multi-factor authentication — specifically hardware-based authentication tokens like access cards, rather than push notifications or SMS. Agencies were also instructed to aim for a complete inventory of every device authorized and operated for official business, to be monitored according to specifications set by the Cybersecurity and Infrastructure Security Agency (CISA).

Another goal of the strategy is to help federal agencies better secure the devices from which staffers log into internal systems. The vision, the memorandum states, is that agencies will develop the ability to more effectively detect and respond to cybersecurity issues affecting employee devices, according to siliconangle.com.

The strategy also covers other types of information technology assets. To improve cybersecurity, the document states that agencies will have to isolate their IT systems from one another and ensure traffic between them is encrypted. Moreover, federal agencies would have to routinely test applications for cybersecurity issues and accept external vulnerability reports.