US Government sets forth Zero Trust architecture strategy and requirements

A Microsoft Post 

To help protect the United States from increasingly sophisticated cyber threats, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, which requires US Federal Government organizations to take action to strengthen national cybersecurity.1 Section 3 of EO 14028 specifically calls for federal agencies and their suppliers “to modernize [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing a Zero Trust architecture.

As a company that has embraced Zero Trust ourselves and supports thousands of organizations around the globe on their Zero Trust journey, Microsoft fully supports the shift to Zero Trust architectures that the Cybersecurity EO urgently calls for. We continue to partner closely with the National Institute of Standards and Technology (NIST) to develop implementation guidance by submitting position papers and contributing to communities of interest under the umbrella of the National Cybersecurity Center of Excellence (NCCoE).

Microsoft helps implement Executive Order 14028

The memo clearly describes the government’s strategic goals for Zero Trust security. It advises agencies to prioritize their highest value starting point based on the Zero Trust maturity model developed by the national Cybersecurity & Infrastructure Security Agency (CISA). 

Microsoft’s position aligns with government guidelines. Our maturity model for Zero Trust emphasizes the architecture pillars of identities, endpoints, devices, networks, data, apps, and infrastructure, strengthened by end-to-end governance, visibility, analytics, and automation and orchestration.

Flow chart showcasing identities and endpoints as their authentication and compliance requests are intercepted by the Zero Trust Policy for verification before being granted access to networks and the data, apps, and infrastructure they’re composed of.

To help organizations implement the strategies, tactics, and solutions required for a robust Zero Trust architecture, we have developed the following series of cybersecurity assets:

New capabilities in Azure AD to help meet requirements

A blog by my colleague Sue Bohn, Guidance on using Azure AD to meet Zero Trust Architecture and MFA requirements, provides a great summary of how Azure AD can help organizations meet the requirements outlined in EO 14028. We recently announced two additional capabilities developed in response to customer feedback: cloud-native certificate-based authentication (CBA) and cross-tenant access settings for external collaboration.

Certificate-based authentication

Phishing remains one of the most common threats to organizations. It’s also one of the most critical to defend against. According to our own research, credential phishing was a key tactic used in many of the most damaging attacks in 2021. To help our customers adhere to NIST requirements and effectively counter phishing attacks, we announced the preview of Azure AD cloud-native CBA across our commercial and US Government clouds.

CBA enables customers to use X.509 certificates on their PCs or smart cards to authenticate applications using Azure AD natively. This eliminates the need for additional infrastructure such as Active Directory Federation Services (ADFS) and reduces the risk inherent in using on-premises identity platforms.

Cloud-native CBA demonstrates Microsoft’s commitment to the federal Zero Trust strategy. It helps our government customers implement the most prominent phishing-resistant MFA, certificate-based authentication, in the cloud so they can meet NIST requirements. Read the documentation on Azure AD certificate-based authentication to get started.

Cross-tenant access settings for external collaboration

Our customers have told us they want more control over how external users access apps and resources. Earlier this month, we announced the preview of cross-tenant access settings for external collaboration.

This new capability enables organizations to control how internal users collaborate with external organizations that also use Azure AD. It provides granular inbound and outbound access control settings based on organization, user, group, or application. These settings also make it possible to trust security claims from external Azure AD organizations, including MFA and device claims (compliant claims and hybrid Azure AD joined claims). Consult the documentation on cross-tenant access with Azure AD External Identities to learn more.

More capabilities coming soon

We’re continuing to work on new capabilities to help government organizations meet Zero Trust security requirements:

  • The ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.
  • Comprehensive phishing-resistant MFA support, including remote desktop protocol (RDP) scenarios.

Resources for your Zero Trust journey

Microsoft is committed to helping the public and private sectors with a comprehensive approach to security that’s end-to-end, best-in-breed, and AI-driven.

To advance your Zero Trust implementation, we offer the following:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

1Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity.

CISA Compiles Free Cybersecurity Services and Tools for Network Defenders

 CISA has compiled and published a list of free
cybersecurity services and tools
 to help organizations reduce
cybersecurity risk and strengthen resiliency. This non-exhaustive living
repository includes services provided by CISA, widely used open source tools,
and free tools and services offered by private and public sector organizations
across the cybersecurity community. Before turning to the free offerings, CISA
strongly recommends organizations take certain foundational measures to
implement a strong cybersecurity program:

CISA encourages network defenders to take the measures above and consult the
list of
free cybersecurity services and tools
 to reduce the likelihood of a
damaging cyber incident, detect malicious activity, respond to confirmed
incidents, and strengthen resilience.

CISA Insights: Foreign Influence Operations Targeting Critical Infrastructure

release date: February 18, 2022

CISA has released CISA
Insights: Preparing for and Mitigating Foreign Influence Operations Targeting
Critical Infrastructure
, which provides proactive steps organizations can
take to assess and mitigate risks from information manipulation. Malicious
actors may use tactics—such as misinformation, disinformation, and
malinformation—to shape public opinion, undermine trust, and amplify division,
which can lead to impacts to critical functions and services across multiple
Current social factors—including heightened polarization and the ongoing global
pandemic—increase the risk and potency of influence operations to U.S. critical
infrastructure. CISA encourages leaders at all organizations to review the CISA
 and follow the guidance to assess risk and increase