Virtru Guidance for Agencies Implementing the New Cybersecurity Executive Order

This article is intended for senior officials at U.S. Federal Civilian Executive Branch Departments and Agencies responsible for implementing the requirements laid out in the Executive Order announced on May 12, 2021. 

The recently issued Executive Order, Improving the Nation’s Cybersecurity, speaks to the necessity—and urgency—of encrypting content ubiquitously, ensuring that security is engrained from the moment it is created. The executive order calls for “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” 

With federal agencies required to submit concrete plans for Zero Trust architecture within 60 days, and other key milestones falling shortly thereafter, it’s clear that cybersecurity is a central focus and high priority for the federal government in 2021. 

The directive also encourages agencies to pursue encryption and accelerate adoption of multi-factor authentication (MFA). One primary consideration that must be made when implementing these objectives: who gets to see what content?

Agency Heads and their senior leadership teams have an opportunity to not only comply with the requirements of the latest executive order but implement encryption, MFA, and Zero Trust Architectures in a manner that both improves security and furthers organizational objectives to leverage data as a strategic asset.

Encryption alone is not a data-centric security approach. However, when supported by a requirement for strong identity and corresponding credentials for access, as well as a consistent and diligently applied approach to access control, policy can be enforced through encryption, even at the data level. Adoption of cryptographically enforced granular access control models – for example, attribute-based access control (ABAC) – is not only possible but increasingly necessary, as evidenced by the latest advanced persistent cyber campaign targeting civilian agencies, among others. 

As a domain expert in data protection, including cryptography (encryption specifically), key management, ABAC, the Trusted Data Format (TDF), and Zero Trust solution design, Virtru offers the below recommendations for federal agencies seeking to meet the requirements of several key elements of this Executive Order: 

“Within 60 days of the date of this order (May 12, 2021), the head of each agency shall develop a plan to implement Zero Trust Architecture.”

A Zero Trust strategy is predicated on the fact that trust is never inherited and, per NIST SP 800-207, “involves minimizing access to resources (such as data and compute resources and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.” We at Virtru believe that for Zero Trust to be effective, encrypted data must be stored and managed separately from the associated encryption keys. Hosting keys alongside data dilutes the value of encryption in the case of a breach and leaves organizations more vulnerable to exploit.    

With this foundational approach in mind, Virtru recommends that Federal agencies account for six core elements of a data-centric architecture when planning and executing a Zero Trust strategy:

1. Identity. This applies to individuals, devices, software, APIs, and any other entity accessing sensitive information. The means of managing identity must be thoroughly examined by use case and, where applicable, align with the Personal Identity Verification (PIV) standard as reinforced through the Office of Management and Budget (OMB)’s identity policy and as componentized by assurance category (IAL/AAL/FAL) in NIST digital identity guidelines.
2. Access control policy and enforcement. A critical element of data protection is ensuring that access is granted only to those who have a true business need to view it. A recent Virtru survey found that 70% of employees had access to data they shouldn’t. It’s critical that these policies are consistently reviewed and enforced as employees’ work scopes and projects may change and they may only need a fraction of the data access they’ve been granted in order to get the job done.  
3. Preferred encryption method by business process/workflow. Different departments generate, consume, and disseminate different types of sensitive data. Regardless of how data are stored, processed, or shared, they need to be protected in a way that allows for a balance of productivity and security. By implementing a Data Loss Prevention (DLP) framework that automatically encrypts certain types of sensitive data, agencies can minimize data loss while supporting existing workflows with minimal disruption. Additionally, agencies can enhance resiliency and adaptability by selecting technologies with a high degree of crypto-agility — meaning that cryptographic primitives and algorithms can be easily swapped without significant (often costly) changes to infrastructure.
4. Infrastructure for data operations. In a Zero Trust model, infrastructure does not inherit trust. As such, data access decisions occur agnostic to where data are stored or otherwise processed. Not only does this focus agency security efforts on some of their highest value assets — the data they collect and generate — but it also offers agencies the flexibility to manage data across disparate infrastructure using approaches like container orchestration, which can yield organizational process efficiencies through more rapid, repeatable, and scalable deployments. That being said, data-centricity does not mean abandoning defense-in-depth, including physical security and network protections, which should also be incorporated into decisions about infrastructure, regardless of management model (GOCO, COCO, etc.).
5. Entitlement system. Carefully managed and consistently updated methodologies and administrative controls must be in place to ensure access privileges are current and accurate. Failure to do so opens up vulnerabilities and greater risk of insider threats.
6. Data tagging approach. Beyond traditional classification paradigms, agencies should develop a framework and accompanying enterprise data tag dictionary for everything from classified content to controlled unclassified information (CUI). This framework should be leveraged to serve the dual purpose of enhancing security and optimally leveraging data as a strategic asset. Additionally, the framework should be designed in a way that allows for growth and flexibility, as contexts vary across missions and business units. Consider reaching out to NASA for tips on how to scale implementation (scroll to the bottom of the linked page for contact information).

In general, enterprise-level Zero Trust roadmaps should address the above elements in the following phases: 

1. Set a Zero Trust Vision. Identify a target end state and best-fit approach per architectural element detailed above. Ensure that the vision reinforces organization-specific mission objectives.
2. Identify Gaps & Dependencies. Identify current approaches, dependencies, and gaps per element, and map to related architectures, policies, technology resources, and contract vehicles.
3. Strategize. Define an enterprise strategy to achieve the envisioned target end state. This could involve policy updates, governance body spin-up or change in operations, hiring, end user and system administrator trainings, procurement, or reallocation of resources, to name a few. During this phase consider developing an enterprise procurement strategy, leveraging existing government-wide and enterprise-level contract vehicles, for example, the Alliant 2 GWAC and CDM Tools Special Item Number (SIN) – managed by GSA with technical and programmatic management provided by the CISA CDM Program – which are immediately available for use. Consider leveraging solutions that have already been authorized through an Agency ATO process, the FedRAMP JAB P-ATO process, or another government accreditation. Finally, consider organizing a pilot implementation team and submitting an Initial Project Proposal to the Technology Modernization Fund to test new data protection approaches prior to committing changes to the enterprise architecture and policy/ies.
4. Direct and Delegate. As appropriate, require each component/bureau/office within the agency to develop an integrated project plan to drive from current state to end state. If the component/bureau/office will adopt the enterprise plan, clarify this in a section of the plan that addresses governance details.
5. Coordinate and Prioritize. Develop an integrated project plan at the enterprise level that informs prioritization of resources and sprint efforts based on the required sequence of activities.
6. Contribute Your Lessons Learned. Consider offering a briefing of your experience to your agency’s relevant governance bodies or to one of the several interagency coordinating bodies, for example the Federal CIO Council, Federal CISO Council, Federal CDO Council, Federal Privacy Council, the Federal Geographic Data Committee, relevant Interagency Policy Committees (IPCs), or other communities of practice. Help others learn, accelerate adoption of effective security technologies, and build off of your progress by partnering with the National Cybersecurity FFRDC (NCF) through the Work for Others Program, managed by the NIST National Cybersecurity Center of Excellence.

Each enterprise strategy will look different, with some approaches centralizing action and resources at the Department or Agency level while others adopt a more decentralized approach based on common enterprise guidelines. Interagency oversight and technical implementation leads for the EO, including OMB, NSC, and CISA, can focus on holding Agency Heads accountable for achieving results and offering assistance as a partner where needed and as appropriate.

“Heads of FCEB Agencies shall provide reports to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multifactor authentication and encryption of data at rest and in transit.  Such agencies shall provide such reports every 60 days after the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption.”

Virtru addresses the collective needs of identity, credential, and access management (ICAM); encryption; data tagging; and policy enforcement. By encrypting sensitive data at the object level with the Trusted Data Format (TDF) — an ODNI-approved  data protection standard — agencies can ensure data remains secure across its entire lifecycle, at all times — beyond the paradigm of “in motion and at rest” — all the way from creation to storage, collaboration, and sharing. 

Virtru equips agencies with administrative controls that support data tagging and attribute-based access controls, so organizations can carefully manage exactly who can access certain types of data, with the ability to revoke access at any time. This level of visibility, paired with multi-factor authentication (MFA), ensures data can only be accessed by the intended recipient, supporting agencies’ data strategy and security efforts. However, strong authentication and encryption should be implemented as a means of access control policy enforcement, rather than an adjacent, separate solution.

The recent cyber attacks on SolarWinds systems, Microsoft Exchange Server users, and Colonial Pipeline demonstrate the importance of a layered approach to identity management and data security. Implementing the above recommendations in conjunction with an object-level encryption solution like Virtru that empowers data owners to manage their own keys and associated policies enables the immediate revocation of data access, regular and rapid rotation of encryption keys, and mitigation of data loss to “stop the bleeding” quickly. 

With sophisticated, large-scale cyber attacks accelerating, it’s vital that federal agencies and their industry partners act quickly to reduce vulnerabilities, modernize their security, and safeguard their data. As the EO emphasizes, “The prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” 

About Virtru & More Info

Virtru’s mission is to empower organizations to unlock the power of data while maintaining control, everywhere data are stored and shared. Leveraging the ODNI-approved Trusted Data Format (TDF), Virtru’s core technology was originally created for the purpose of protecting the nation’s most sensitive, confidential data across its entire lifecycle. Virtru offers protection of any content with robust encryption, control of dissemination regardless of the consumer’s location or organization, and complete audit of any actions on protected content. Protection can be rule-based and automated to ensure data owners have complete control over their documents. 

Over 20,000 organizations trust Virtru for data protection, including U.S. Federal civilian, defense, and intelligence agencies. With offerings authorized both through FedRAMP at the Moderate level and by specific agencies for mission workflows, Virtru’s portfolio of solutions and tools — built on an open data protection platform — enables Federal organizations to realize a lifecycle approach to data management and security. 

 To see how Virtru can help your agency adapt, strategize, and rapidly respond to the new executive order, reach out to us today at federal@virtru.com.