Memo M-22-09: Creating a Solution Architecture for Zero Trust

zero trust architecture memo

By: The AINS Team

In May 2021, President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity to protect public and private sectors from malware attacks. In the order, the president details how taking action to improve cybersecurity requires significant investment in a national digital infrastructure built on zero trust, meaning that all activity inside a network is treated as untrustworthy unless verified.

Four months later, the Office of Management and Budget (OMB) released a draft document detailing the priorities of agencies as they begin transforming. As of January, the White House has officially published a final version of the zero trust architecture (ZTA) strategy, M-22-09, outlining key areas of focus and deadlines to ensure compliance leading into FY 2024.

The transition focuses on building public safety, privacy, and safeguarding American trust in the government. By shifting security philosophy, the government aims to maintain secure networks of collaboration while reinforcing areas of risk in enterprise-wide applications. Significant emphasis is being placed on access controls such as multi-factor authentication and consolidating identity systems. Within the new architecture, “every application will be treated as internet-accessible” and thus agencies will be required to transition towards CISA’s zero trust maturity model where application access will no longer be routed through specific networks.

Shifting away from trusted networks is not going to be a quick transition, particularly with the complex and shifting needs of the federal government. Some of the key aspects of the memo are to provide clarity as agencies take steps towards building up enterprise solution architecture, including:

CISA’s Five Areas of Effort

  • Identity: Moving away from trusted networks and instead towards role-based permissions. In addition, implementing multi-factor authentication (MFA) will be able to protect personnel from sophisticated phishing attacks.
  • Devices: Any organization with devices authorized for government use are recorded in a complete inventory with data access being dependent on real-time risk analytics to prevent security threats before they start.
  • Networks: All DNS requests and HTTP traffic has to be encrypted, and organizations will begin developing plans for machine learning based threat protections.
  • Applications and Workloads: All applications will be treated as internet-connected and thus subject to rigorous testing and vulnerability reports.
  • Data: Through data categorization, agencies can take advantage of cloud security services to monitor access to sensitive data. Enterprise-wide logging and information sharing.

Key Deadlines

Within 30 days of the memo’s publication, agencies will need to select a leader for their ZTA strategy implementation. These people will serve as a coordinator with the OMB for engagement, planning, and implementation efforts within each organization.

Within 60 days, agencies will be expected to incorporate additional requirements laid out by the document as well as submit implementation plans and budget estimates for the 2022-2024 fiscal years. The plans will go through a review process with the Office of Management and Budget and CISA.

Within 120 days, Chief Data Officers will need to create categorizations for sensitive data. These categories will be used to monitor and restrict the sharing of sensitive information on an as needed basis.

Encourage Partnerships

Digitally transforming any aspect of an organization is a journey, not a destination. Partnering with industry can provide insight into the challenges of modernizing an agency’s operations and systems, and the AINS team is prepared to help your agency achieve your digital transformation goals. Whether your agency is just starting its zero trust journey or is looking for a consultation, please contact our team at info@ains.com or schedule a demo of our eCase suite of enterprise-wide solutions.

Further Resources:

The Solution Architecture to Digital Transformation

How to Achieve Process Transformation at the Organizational Level

Low-Code Solution Areas: Power Your Business Processes

For the complete details of the M-22-09 memo, including the breakdown of CISA’s Five Pillars and additional deadlines, click here.

AINS is dedicated to ensuring a zero trust solution strategy is implemented as seamlessly as possible for our partners. If you have any further questions or would like to receive a quote, please contact us at info@ains.com.