In March 2023, the Biden administration unveiled a comprehensive national cybersecurity strategy. This set a bold vision for cybersecurity, emphasizing the need to defend critical infrastructure, dismantle cyber threats, drive market security, invest in a resilient future, and forge international partnerships.
Building on this framework, the July 2024 White House memorandum from the Office of Management and Budget (OMB) and Office of the National Cyber Director (ONCD) outlines specific cybersecurity investment priorities for the future and provides a roadmap toward actionable, measurable outcomes.
The latest memo advances several key areas highlighted in the original strategy:
- Transition to zero trust architectures: It describes the need to move quickly to zero trust architectures, which demands rigorous, continuous verification of every user and device.
- Enhance public-private collaboration: It calls for scaling efforts to share information, bolster resilience, and drive collective action against evolving threats.
- Bolster the cybersecurity workforce: It focuses on expanding recruitment, retention, and addressing the skills gap hampering defensive capabilities.
- Prepare for quantum computing challenges: It highlights the need for preparing for a post-quantum future – including transitioning to quantum-resistant cryptography – and federal dedication to crypto agility for a secure future.
It’s essential you understand each of these key areas – which we summarize below and also plan to tackle in an upcoming webinar. [Save your spot by registering here to stay ahead of today’s threats and prepare for tomorrow’s challenges.)
Enhancing Your Defense Strategy
Federal agencies face increasing cybersecurity challenges, making it crucial to adopt advanced solutions to stay secure. So, let’s dive into each of the broad areas from the cybersecurity memo, plus key takeaways.
Embrace zero trust to manage identity and access
One of the key mandates from the ONCD with the goal of defending critical infrastructure requires government agencies to submit updated zero trust plans within 120 days. A zero trust approach shifts away from traditional perimeter-based security to a model focused on minimizing trust and maximizing verification.
This verification is crucial for machine identities, which outnumber users in most IT environments. Every device needs its own identity and credentials to authenticate and communicate securely, and these need to be managed, updated, and revoked as necessary. This creates a complex web of identities that can lead to gaps and vulnerabilities if mismanaged, such as a compromised machine identity allowing unauthorized access to sensitive areas of a network, or causing operational disruptions.
Moreover, all data in transit across networks must be encrypted using TLS (transport layer security) certificates. This requirement is crucial to safeguarding information as it moves between systems and devices. Managing these TLS certificates at scale requires meticulous oversight, and improper identity or certificate management can have severe repercussions. The risks associated with certificate management failures were made apparent when leading certificate authority Entrust incorrectly issued thousands of extended validation TLS certificates in 2024. Effective identity and certificate management is crucial to prevent attackers from exploiting weaknesses to breach networks, exfiltrate data, or disrupt operations.
Key Takeaways:
- Government agencies are required to update zero trust plans, focusing on rigorous verification of machine identities for everything that touches the network.
- Proper TLS certificate management is crucial to prevent network breaches and operational disruptions.
- Continuous discovery and monitoring of certificates is critical to ensure trust.
Addressing the cybersecurity skills gap
A well-managed environment is easier to defend, but this requires a two-fold approach: raising the skill level of our cybersecurity workforce and reducing the complexity of the environments they operate in. To address this, the ONCD memo emphasizes the need for proper tooling, particularly around public key infrastructure (PKI) management.
Government-owned technology solutions are often managed on an application-by-application basis, contributing to operational complexity. Ad-hoc management not only drives up costs but also makes the hiring of skilled personnel harder, more expensive, and frequently redundant. When each application requires its own PKI management, agencies find themselves trapped in a cycle of inefficiency: staff must juggle disparate systems instead of focusing on enhancing security across the board.
Centralizing PKI management helps overcome this challenge. Organizations can lower complexity and boost security maturity simultaneously by streamlining certificate management across the enterprise. Centralization also sets the stage for automation, allowing for more seamless integration of encryption and authentication across various platforms. With proper tools in place, security becomes more accessible to all staff members, not just specialized experts.
Using the right tools can provide significant advantages for training and onboarding new talent. As more cyber technicians enter the workforce, they are best positioned for success when working with the tools they’ve been trained on, such as EJBCA, Active Directory, and other industry standards. Equipping new hires with familiar systems can reduce the learning curve for new staff, improve operational efficiency, and benefit overall cybersecurity health and resiliency.
Key Takeaways:
- Centralizing PKI management can lower complexity and improve security, making it easier to defend environments.
- Equipping new hires with familiar tools enhances operational efficiency and strengthens cybersecurity.
Public-private sector collaboration leads to secure solutions
On the other side of the coin, these tools must meet the specific, rigorous needs of government agencies. Federal departments and agencies are mandated to adopt solutions that enhance security and comply with strict regulatory and operational standards. This is particularly important when considering commercially available tools or open-source software.
Open-source solutions can provide flexibility and innovation without sacrificing security when properly maintained and secured. The White House memo echoes this, encouraging agencies to contribute to and maintain open-source software components. However, when open-source components are in use, agencies must monitor code changes, identify and address vulnerabilities, and maintain the integrity of those components. Consistent oversight and security can be a challenge, without the right tools.
Keyfactor solutions are designed to meet the high standards required by governments globally. In fact, we’re already helping several government entities manage identity programs with secure, compliant, centralized PKI management solutions. Our tools not only power the secure management of digital identities but also offer full transparency, rigorous compliance features, and automated security controls that support compliance with FIPS 140-2 and other NIST control families. Certificate lifecycle automation and secure encryption management with Keyfactor can help agencies maintain tight control over their PKI environments and meet compliance requirements.
Key Takeaways:
- Government agencies must adopt secure, compliant solutions that meet strict regulatory standards.
- Keyfactor solutions offer centralized PKI management, automated security controls, and compliance with FIPS 140-2 and other NIST standards.
Preparing for a post-quantum future
As the quantum computing revolution approaches, the federal government must prioritize the transition to post-quantum cryptography (PQC). Quantum computers hold the potential to break the encryption methods protecting our most sensitive data, and the shift to adapt will not be simple or easy. To make things more difficult, there are already signs that attackers appear to be acquiring encrypted data now for storage so they can decrypt later when the technology is available. This is commonly known as “capture then decrypt” but has the effect of moving the need to take action into the here and now, rather than something which can be put off while progress in the technology is monitored.
In addition to identifying data most at risk from “capture then decrypt,” a critical, difficult task of the transition is to gain a comprehensive inventory of all digital certificates across an agency’s network in order to have a clear understanding of how things are being done and to be able to monitor progress. Each of these certificates, used to encrypt and authenticate communications, must be monitored for changes, vulnerabilities, and expiration dates.
Without visibility, agencies risk exposing themselves to serious security gaps as they change cryptographic standards. We’ve learned lessons from the painful transition from SHA-1 to SHA-2–while manageable, the change was labor-intensive and slow. But speed will be of the essence in the face of the quantum computing threat, which will demand faster responses.
Gaining a full understanding and control over certificate management is essential for protecting sensitive data as agencies prepare for the quantum future. A PKI platform that can manage this complex process across all certificate authorities will make the switch to PQC as painless as possible, protecting agencies from the cryptographic challenges quantum computing promises.
Key Takeaways:
- The transition to PQC requires comprehensive inventory and management of digital certificates.
- A PKI platform to enable this process will ease the shift to PQC, ensuring protection against quantum computing threats.
Looking ahead: Engage Keyfactor to secure the future
The stakes for federal agencies are high – and climbing higher. Your cybersecurity must evolve to meet all of these oncoming threats. ‘
Effective public-private sector collaboration is essential, and implementing the right tools early will determine how well the government can adapt to these challenges.
With industry-leading solutions for centralized PKI management, certificate lifecycle automation, and compliance monitoring, Keyfactor enables government entities to simplify security operations, enhance workforce capabilities, and prepare for the quantum future. Our secure, compliant platforms offer visibility, control, and automation to handle encryption and identity management–today and in the post-quantum era.
Want to boost your cyber defense? Join our webinar on October 9, 2024. Discover how to protect your environment and stay compliant with the latest federal standards, including the White House’s new cybersecurity guidelines. Reserve your spot now — you’ll be better equipped to meet today’s cybersecurity challenges and prepare for the threats of tomorrow.
