OMB’s Zero Trust Strategy: Government Gets Good


What a time to live! Following Forrester’s publication of our definition of modern Zero Trust (ZT), the U.S. Office of Management and Budget (OMB) released a note titled Moving the US Government to Zero Trust Cybersecurity Principles.

Coincidence? Yes. A big deal? Also, yes.

If executed according to their mandate, not only will government agencies reach the security maturity levels of large private sector organizations (they are just beginning hiring at this level, remember), they will also surpass them. This major transformation effort sets a new bar for all industries and is cause for celebration. It also breaks down barriers to Zero Trust adoption by providing security leaders across industries with a set of priorities aligned with each of the five Zero Trust Pillars that they can seek executive buy-in. easier by a leading government. mandate — and incorporate them into their budgets and timelines.

Celebrate this strategy

Zero Trust advocates should jump for joy at the federal government’s understanding of the modern Zero Trust and how it is operationalized. Forrester designated seven operational areas of Zero Trust: five for security controls and two for domain interaction when we created Zero Trust eXtended (ZTX). The Cybersecurity and Infrastructure Security Agency (CISA) and OMB recognize these seven elements and add one more: governance.

So over the past decade, where previously there was a lot of confusion about how to define or operationalize Zero Trust, today there is an outpouring of aligned definitions, thanks to the White House Executive Order released in early 2021. It is important to note that CISA’s view draws from Forrester’s original conception of Zero Trust when we first defined it over 12 years ago. Our weapons are pointing in the same direction.

Second, the OMB strategy document is deepened and expanded. In all of these areas, OMB doesn’t just make the right call, it makes the bold call and doubles down on Zero Trust. Examples abound!



There are a handful of half measures, which is less than we expected for government IT largely made up of islands of varying technology maturity. This includes encrypted emails and some leeway on how people do ZT on the network (which is understandable, since the network is always the hardest part).

why it matters

Many organizations lack a compelling cybersecurity strategy; at least now US federal agencies are not among them. And while better cybersecurity is a laudable goal, remember that the sabers ring out in both a middle kingdom and the remnants of a superpower, who have no qualms about waging cyber warfare.

For many initiatives, the devil is in the details. This is not true for the OMB Zero Trust strategy; as we mentioned above, it is very good. Here, the devil will be in the execution. To what extent will each agency, contractor and all of their contractors operationalize Zero Trust?

The court

Among the timelines included in the OMB strategy are several short-term tasks, such as providing CISA and the General Services Administration with any hostname (only 60 days) and hosting reports external vulnerabilities for systems accessible via the Internet. Within a year, forced password rotation should be thrown into the gutter, where it belongs.

Basically, within 60 days, agencies must submit to the OMB and CISA an implementation plan for fiscal years 22-24 for OMB’s approval and a budget estimate for fiscal years 23-24.

As budget estimates align with roadmaps, many CISOs will need help revising them quickly. Recent improvements in cybersecurity hiring may help attract private sector patriots for some agencies, but others will need to rely on third parties for strategy advice. Having worked with many Forrester customers (federal, state, and municipal government agencies), we know that agencies:

  • Have different levels of technology and cybersecurity maturity.

  • Will undergo Zero Trust maturity assessments and gap analyzes based on the recently released CISA Zero Trust Maturity Model.

Coming to the long term

The OMB Zero Trust strategy mandates many important (and challenging) security enhancements for every federal agency over the long term. Two themes within the OMB strategy support the government’s CISO: cloud and collaboration.

Regarding collaboration, paraphrasing the second section, “[teams] within and across agencies should collaborate to jointly develop pilot initiatives and government-wide guidance on categorizing data according to protection needs, ultimately creating a foundation for automating security access rules. CFOs, acquisition managers, senior privacy agency leaders, and other agency leaders should work in partnership with their IT and security leaders to deploy and maintain Zero Trust capabilities . It is critical that agency leadership and the entire C-suite are aligned and engaged in redesigning an agency’s security architecture and operations.”

The OMB strategy also mentions the “cloud” 44 times in its 29 pages. “Agencies should make use of the rich security features present in cloud infrastructure,” the opening of the memo states. Many mandates, of course, are more easily accomplished with cloud-based architectures (think managing everything enterprise-wide). The OMB strategy contains cloud guidance for the five main Zero Trust pillars: Identity, Devices, Networks, Workloads, and Data.

mark this day

We ordered additional rations of ibuprofen for current and former Forrester analysts aligned with Zero Trust, as several sprained themselves with virtual high fives and physical pats on the back in celebration of the memorandum. Hyperbole aside, let’s watch and celebrate the monumental progress the U.S. federal government has made toward Zero Trust: In 2020, the NIST Zero Trust Architecture (SP 800-207); in 2021, the Biden’s Executive Order on Zero Trust and the CISA Zero Trust Maturity Model; and now, in 2022, the most precise and ambitious document to date, the OMB Zero Trust Strategy.

This post was written by Senior Research Analyst David Holmes and it originally appeared here.


Comments are closed.