Secret Service’s Zero Trust Plan Must Account for OMB Guidance, Watchdog Says
The Secret Service’s plan for adopting a zero trust architecture model across the agency’s systems has not been updated since the Office of Management and Budget released new guidance in January.
Although the Secret Service has “made progress” in adopting a zero trust model across its systems, the agency still needs to align its ongoing cybersecurity efforts with federal guidance that came out after its implementation plan was first developed, according to a report released by the Government Accountability Office on Tuesday.
GAO’s report analyzed the Secret Service’s adoption of a federally-mandated zero trust architecture strategy, which works to enhance agencies’ systems and services by assuming “that a breach of IT systems is inevitable or has likely already occurred.”
“Zero trust security is intended to continually limit user access to only the resources that users need, when they need them,” the report added. “As such, the zero trust model seeks to eliminate implicit trust in users or in devices connected to an agency’s network.”
In May 2021, President Joe Biden issued an Executive Order on Improving the Nation’s Cybersecurity that, in part, required all federal agencies to “develop a plan to implement zero trust architecture.” The Cybersecurity and Infrastructure Security Agency also issued draft guidance in June 2021 to help guide agencies’ zero trust implementation efforts.
GAO, which conducted its review from October 2021 to November 2022, said it requested the Secret Service’s implementation plan in November 2021. This was prior to the Office of Management and Budget—or OMB—issuing a memo in January 2022 that required agencies “to meet specific cybersecurity standards and objectives,” including a series of “actions that agencies are to take by the end of fiscal year 2024 that are intended to form a starting point to implementing zero trust architecture.” The Secret Service did not update its implementation plan to account for OMB’s guidance, according to the report.
GAO said the Secret Service’s implementation plan established four milestones for supporting agencywide rollout of zero trust architecture, including: performing a self-assessment of its IT environment against CISA’s draft guidance; implementing cloud services provided by a vendor; achieving “a preliminary level of event logging maturity,” per OMB guidance issued in August 2021; and transitioning its IT infrastructure “to a more advanced internet protocol.”
Since the agency “developed its implementation plan before OMB disseminated its zero trust strategy,” however, GAO found that the four milestones in the Secret Service’s implementation plan only addressed “six of the 15 OMB required actions.”
The report found that the agency has not, for example, addressed OMB requirements regarding the implementation of internet protocol version 6, or IPv6. In a footnote, GAO noted that IPv6 “is the next generation of internet protocols, which are addressing mechanisms that define how and where information moves across interconnected networks.”
“By transitioning to this protocol, the agency can leverage additional security features,” the report noted.
While GAO noted that the Secret Service “either had efforts underway, or reported that it intended to perform activities that could cover the remaining actions” required by OMB’s guidance, the report said that “these additional efforts are not reflected in the agency’s [zero trust architecture] implementation plan.”
“If Secret Service does not keep its [zero trust architecture] implementation plan up to date, management will likely not have a coherent view of disparate activities associated with the transition process,” the report said.
GAO recommended that the Secret Service “transition to a more advanced internet protocol for its public-facing systems” and also “update its zero trust architecture implementation plan.” The Department of Homeland Security, which oversees the Secret Service, responded to GAO on behalf of the agency and concurred with the two recommendations.