White House cybersecurity officials are working on an updated “zero trust 2.0” strategy, while examining how agencies can be more efficient with their cyber investments.
Nick Polk, branch director for federal cybersecurity at the Office of Management and Budget, said OMB is looking toward the next iteration of the federal zero trust strategy.
“We’re still coalescing around the exact strategy here, but it likely will be focused on specific initiatives we can undertake for the entire government,” Polk said a July 16 online meeting of the Information Security and Privacy Advisory Board.
The Biden administration released the initial zero trust strategy in January 2022. It’s served as a key guiding post for how agencies plan and budget for cybersecurity. The concept focuses on shifting away from relying on perimeter-based cyber defenses, like firewalls, toward a layered approach involving multifactor authentication, data access controls and more.
Agencies had until November 2024 to submit updated zero trust implementation plans.
Polk called the next steps “zero trust 2.0.” He said the Trump administration wants to focus on distinct areas of zero trust.
“As opposed to trying to essentially raise all ships, we want to raise a couple very important ones,” he said.
Polk said that approach is in line with the administration’s focus on “efficiency and rationalization.”
“We really do want to make sure that when we are making an investment, whether it is governmentwide or within each agency, that that investment is rationalized,” Polk said. “We are getting the expected return from that dollar we’re spending and we’re not essentially either focusing on things that don’t really have a really demonstrable security outcome, or really any security outcome, or focusing on efforts that may not contribute wholeheartedly to defending federal networks.”
He said a key effort is examining cybersecurity “compliance regimes.” Polk’s comments come as the Federal Risk and Authorization Management Program, for example, develops a new cloud security assessment process under a “FedRAMP 20X” initiative.
“Understanding that there is, of course, always a place for compliance, but looking at where compliance might be duplicative, or we might be able to prove that a network is sufficiently defended through other mechanisms,” Polk said.
Software security updates
Polk also explained some of the key changes in President Donald Trump’s June cybersecurity executive order. Trump maintained many Biden-era initiatives, but canceled a plan to require federal software vendors to submit “artifacts” that demonstrate the security of their product.
“That was really a key instance of compliance over security, requiring an excessive amount of different artifacts from each software vendor, changing requirements midstream, when software providers were already working on getting the security software development form and agencies were already working on collecting it,” Polk said, pointing to a continued requirement for agencies to collect secure software attestation forms from contractors.
“We are, of course, looking at that policy, but at this point, those requirements still do remain in place,” Polk added.
Trump’s EO directed the National Institute of Standards and Technology to organize an industry consortium that will work on demonstrating the implementation of NIST’s secure software development framework.
Polk argued that under the Biden administration, some officials had “conflated” NIST’s SSDF with software security in general.
“We want to make sure that we should be doubling down on [the framework], or maybe we should be looking at something else,” Polk said. “That’s what we’re trying to figure out.”
Meanwhile, the Defense Department is examining new security processes under its “Software Fast Track,” or SWFT, initiative. It also is looking at how the services and defense agencies could adopt a new security approach involving Software Bills of Material (SBOMs) and continuous monitoring, among other steps.
On the civilian side of government, however, Polk said officials now want to take a tailored approach to software security requirements.
“We really want agencies to be able to differentiate between software that they’re getting to schedule their conference rooms, that they’re going to encapsulate in a secure enclave or some kind of zero trust based defense, and potentially don’t need to do a lot of work to assure that software,” he said. “And then maybe software that, for example, the [National Nuclear Security Administration] is using to monitor a nuclear power plan.”
Drone requirements, post-quantum encryption
Meanwhile, Polk said OMB will “shortly” issue guidance to agencies on the procurement, use and security of unmanned aerial vehicles. The guidance stems from the American Drone Security Act, which passed as part of the Fiscal 2024 National Defense Authorization Act.
The law prohibits the federal government from buying or funding the purchase of drones made by “covered foreign entities,” particularly those connected to China.
“The biggest changes that folks will see there is a prohibition on U.S. government purchase or use of certain types of drones from certain countries,” Polk said. “That is in partnership with the Federal Acquisition Security Council, as well as requirements for basic cyber security measures to protect the data stored on drones, as well as the different components that underpin each UAV system.”
Polk said OMB is also finalizing new post-quantum cryptography guidance.
NIST finalized an initial batch of post-quantum cryptography standards last August. The Quantum Computing Cybersecurity Preparedness Act of 2022 requires OMB to direct agencies to begin adopting those standards within a year of NIST finalizing them.
“This will contain some relatively detailed information for agencies and direction on programs managing that PQC migration, as well as ensuring that the proper people are involved in the PQC migration process within each agency,” Polk said. “Not just the chief information officer and the chief information security officer, but the chief acquisition officer and other important folks that are going to be really a part of this process as we migrate all of our commercial products to PQC enabled versions.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
