Executive Order 14028, Improving the Nation’s Cybersecurity, directed Federal agencies to strengthen their cybersecurity posture and adopt modern security practices such as zero trust (ZT). OMB M-22-09, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles, recognized that data is a foundational pillar of effective ZT implementation. ZT’s core principle of “never trust, always verify” requires that users, data assets, and access to those assets are continuously validated and verified. Through the ZT lens, focus is placed on securing the data itself, rather than the perimeter protecting it.
M-22-09 charged the Federal CDO Council and Federal CISO Council to convene a cross-agency working group of data and security experts to develop a data security guide for Federal agencies. More than 30 Federal agencies and departments answered the call to develop the Federal Zero Trust Data Security Guide which:
Outlines the vision and principles of ZT data security, with data being the new perimeter in ZT
Focuses on how to find, identify, and define data using specific criteria
Expands on how to secure data with the appropriate security monitoring and controls
Provides practitioners with recommendations and best practices that they can tailor to meet their agency’s mission requirements
The intended audience for the Guide includes: system owners, practitioners charged with securing data, data management practitioners and stewards, system administrators, and cybersecurity engineers. A companion document will also assist practitioners in operationalizing data security using a ZT framework.