September 21, 2021

Cybersecurity Coalition Comments on Federal Zero Trust Strategy

September 21, 2021

Submitted via email to zerotrust@omb.eop.gov

Office of the Federal Chief Information Officer

Office of Management and Budget

Executive Office of the President

New Executive Office Building (NEOB)

725 17thSt NW

Washington DC, 20006

Re: Call for public comments on the Federal Zero Trust Strategy

The Cybersecurity Coalition (“the Coalition”) submits these comments in response to the call for public comments issued by the Office of the Federal Chief Information Officer (OFCIO) in the Office of Management and Budget (OMB). The Coalition appreciates the opportunity to comment on its Federal Zero Trust Strategy and looks forward to working with the OFCIO to assist U.S. government agencies in their efforts to move federal departments and agencies toward more modern and secure zero trust architectures.

The Coalition is composed of leading companies with a specialty in cybersecurity and product services. We are dedicated to finding and advancing consensus policy solutions that promote the development and adoption of cybersecurity technologies. We seek to ensure a robust marketplace that will encourage companies of all sizes to take steps to improve their cybersecurity risk management.

The Coalition commends the OFCIO’s efforts to move the government towards zero trust architectures and looks forward to working with federal departments and agencies to change the way that security services, tools, and business practices are enacted across their environments. As the strategy notes, this paradigm shift in thinking will move agencies away from building perimeter focused defenses to continual verification and monitoring of users, devices, applications, and interactions. The Coalition recognizes the significant resources that such a shift will require and supports the strategy’s allowance for additional time to build a plan and to identify those necessary resources. Specifically, the Coalition applauds OMB’s required actions that giving agencies 30 days to identify a “zero trust architecture implementation lead” and 60 days to modify their zero trust plans to include implementation and budgeting across fiscal years 2022-2024.

Additionally, the Coalition appreciates OMB’s efforts to solicit feedback from both public and private sector entities with regard to its strategy. Creating a process that solicits comments from both agencies and their private sector partners will lead to a stronger end product with significant support inside and outside of government. The partnerships that agencies have with contractors and service providers underpin and drive the way that security is delivered across federal enterprises, and OMB’s process will allow all of those stakeholders to help shape the path forward on agencies’ zero trust journeys. As OMB continues to develop this document and other similar guidance, we hope that OMB will continue to engage with the industry partners that support the security and modernization efforts of departments and agencies.

The Coalition appreciates the coordination between the Cybersecurity and Infrastructure Agency (CISA) and OMB in the release of the Zero Trust Strategy, the Cloud Security Reference Architecture, and the Zero Trust Maturity Model. The Coalition supports the way that OMB used the pillars of the CISA Zero Trust Maturity Model as the framework for its strategy. That said, the Coalition recommends drawing further on the Cloud Security Reference Architecture and the Zero Trust Maturity Model in the recommendations. Specifically, as OMB directs agencies and CISA to implement different parts of the Zero Trust Strategy, the Coalition recommends referencing recommended approaches, best practices, and government shared services that are identified and discussed in the Cloud Security Reference Architecture and Zero Trust Maturity Model. Closer alignment across the documents will help agencies better plan and resource their transitions into zero trust environments.

Finally, the Coalition recommends that OMB encourage agencies to broaden their thinking around what they include as part of their agency zero trust plans. For instance, while the Coalition applauds requiring agencies to accept vulnerability reports on online systems, we believe that agency zero trust plans should also include vulnerability management programs that include remediation and risk acceptance protocols. Additionally, agencies should consider visibility across their environments as they make modernization decisions and identify zero trust solutions. Ensuring security and visibility are built into future federal government acquisitions and partnerships with cybersecurity companies, identity solutions, and cloud services will enable scalable, modern agency zero trust environments.

Overall, the Coalition supports the direction and approach that OMB has taken in its Zero Trust Strategy. We will continue to work directly with our partners in the agencies as they shift to zero trust architectures. Additionally, we will continue to engage with policy makers and oversight officials to ensure they have access to the latest trends and best practices to guide the future iterations of this strategy document.

The Cybersecurity Coalition