OMB Memorandum M-22-09:
Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.
On January 26, 2022, the Office of Management and Budget (OMB) published M-22-09 Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.
M-22-09 sets out activities that agencies need to undertake to meet the requirements under Executive Order (EO) 14028 Improving the Nation’s Cybersecurity. Under M-22-09, agencies need to achieve specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024.
Understanding where mobile threat defense (MTD) completes the zero trust framework requirements under the OMB Memorandum provides insight into how agencies can establish robust security.
The Key Zero Trust Framework Pillars
M-22-09 aligns with the Cybersecurity and Infrastructure Security Agency (CISA) maturity model. Of the five pillars listed, MTD fills in the gaps around mobile device security under three key areas.
At a high level, M-22-09 defines the following three pillars where MTD provides the security needed to ensure a robust approach to zero trust security by incorporating mobile devices:
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
- Data: Agencies take advantage of cloud security services and tools to discover, classify, and protect their sensitive data, and have implemented enterprise-wide logging and information sharing.
As Federal Civilian Executive Branch (FCEB) agencies continue to support remote work, more workforce members will be using their mobile devices. CISA’s draft Zero Trust Maturity Model (ZTMM) highlights mobile devices and bring-your-own-device (BYOD) as assets under the Devices pillar.
For mobile devices, many of the current solutions lack the ability to:
- Ensure appropriate attestation and security
- Secure mobile applications
- Automate security responses
MTD fills these gaps, augmenting current security tools so that FCEB agencies can achieve the goals set forth in M-22-09.
Government-wide endpoint detection and response
Endpoint detection and response (EDR) is fundamental to a successful zero trust framework implementation. M-22-09 touches on the need for EDR tools. However, going into detail would be repetitive within this Memorandum. Therefore, M-22-09 references the October 2021 M-22-01 Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems Through Endpoint Detection and Response.
M-22-01 states:
EDR combines real-time continuous monitoring and collection of endpoint data (for example, networked computing devices such as workstations, mobile phones, servers) with rules-based automated response and analysis capabilities…EDR provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats (APTs), and phishing. Moreover, EDR is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector for cyber threats.
As FCEB agencies look to meet these EDR requirements, they need to consider solutions that address any networked computing devices. M-22-01 specifies mobile phones. However, it’s important to remember that any device with a mobile operating system must fall into this category.
Additionally, M-22-09 highlights that FCEB agencies need to maintain a diversity of different EDR tools. Under this directive, OMB appears to recognize that traditional EDR technologies, including mobile device management (MDM), may need to be augmented to ensure continuous mobile device security.
What EDR and MDM do for meeting OMB requirements
EDR and MDM provide several benefits as FCEB agencies. EDR monitors device activity, automates responses, and prevents risky devices from connecting to networks. MDM tracks location, access, and device security.
At the same time, they also leave gaps when moving to a zero trust security model as required by the OMB memo.
EDR solutions lack the ability to:
- Provide visibility around locked down kernels in mobile OS’s
- Detect risky or malicious networks
- Detect disabled cloud-based detection by network attackers
- Assess privacy and security risks in legitimate (non-malicious) mobile apps
- Address end-user privacy concerns on owned devices
On the other hand, MDM tools are unable to detect and resolve issues associated with:
- Advanced threats
- Mobile phishing attacks
- Device health, particularly in real-time
- Cloud application security
- Malicious applications downloaded from untrusted sources
Getting MTD into the Zero Trust Framework mix
MTD is often referred to as “Mobile EDR” and meets the spirit of EDR recommendations from NIST, CISA, and OMB.
With MTD, agencies achieve the necessary mobile device integrity attestation necessary for a complete approach to zero trust. The zIPS intrusion prevention system agent deploys to a device then:
- Scans for known malware
- Verifies device configurations comply with policy
- Inventories applications for malicious apps or side-loaded apps
- Provides data to security tools via API
Creating a complete endpoint security technology stack should incorporate MTD to ensure that the unique risks arising from mobile devices are addressed as part of a zero trust framework.
Application security testing
M-22-09 also incorporates application security testing as part of achieving a successful zero trust framework implementation.
The Memorandum notes:
For Federal applications to withstand sophisticated probing and attack, agencies need to go beyond implementing and documenting security controls. To gain confidence in the security of their systems, agencies must analyze their software and its deployed functionality with a comprehensive and rigorous approach, whether their software is built internally or by a contracted vendor.
Although not specified, mobile applications should be considered part of the implementation. Using an MDM tool offers some capabilities. However, for a complete implementation, agencies also need to consider where MTD fits.
Where MDM fits into application security testing
With MDM, users download an agent to their devices then the MDM server updates configurations, applications, and policies over the internet. MDM lacks the ability to separate user and agency data, creating privacy risks for agencies using it to secure mobile devices.
Additionally, MDM offers rudimentary device-trust assessments against known threat approaches like jailbreaks and outdated operating systems. However, it lacks the rigorous approach required by M-22-09 because it fails to detect and resolve issues associated with advanced threats, mobile phishing attacks, device health, particularly in real-time, cloud application security, and malicious applications downloaded from untrusted sources.
How MTD fills out the OMB application security testing requirements
Mobile Threat Defense solves these problems, giving agencies a way to ensure appropriate security and user privacy.
MTD runs locally on mobile devices to ensure end-user privacy. MTD provides the following security and privacy capabilities:
- No need to collect or process personally identifiable information (PII)
- Recognize standard baselines configurations for operating systems and apps
- Recognize regular web traffic activity
MTD enables the rigorous app testing required by monitoring all applications, including those downloaded by users that would remain unmanaged otherwise.
When deploying MTD in combination with other app security technologies, agencies gain the comprehensive application risk and vulnerability monitoring needed for a comprehensive zero trust framework implementation.
Automating security responses
Every zero trust framework best practice suggests that agencies need to incorporate artificial intelligence (AI) and machine learning (ML) technologies as part of their zero trust framework strategies.
M-22-09 is no different. The Memorandum states:
Agencies should strive to employ heuristics rooted in machine learning to categorize the data they gather, and to deploy processes that offer early warning or detection of anomalous behavior in as close to real-time as possible throughout their enterprise.
Using automated solutions provides the real-time threat detection and response capabilities needed to ensure a successful zero trust framework implementation.
How do EDR and MDM automate security responses?
EDR automates detection and response capabilities, but it primarily focuses on traditional devices, like workstations.
EDR uses AI/ML to identify threats and protect from having them execute on endpoints. However, they still fail to protect from threats:
- Hidden in locked down kernels in mobile OS’s
- Privacy and security risks in legitimate (non-malicious) mobile apps
Meanwhile, MDM often fails to provide the real-time visibility needed.
The MDM visibility and automation needed to meet OMB requirements
Where EDR and MDM create security gaps, MTD offers the AI/ML capabilities for a complete zero trust security framework deployment. MTD provides:
- On-device, machine learning-based detection against the latest mobile threats, including zero-day malware
- Send users alerts when detecting abnormal activities on devices
- Block activities, like preventing a phishing link from loading
- On-device remediation and UEM driven compliance actions
- Ability to protect from threat actors disconnecting or redirecting traffic when connected to a cellular tower
Zimperium Mobile Threat Defense for a Zero Trust Framework
FCEB agencies need to meet the OMB’s goals by the end of FY 2024, but a zero trust framework requires multiple, integrated solutions across all five pillars that CISA outlines.
MTD is critical to securing mobile devices, providing the visibility into threat and risk postures that impact overall user and device attestation necessary for successfully implementing ZTA. Zimperium augments an agency’s IDM, EMM/MDM, and CASB, integrating critical data collection and advanced mobile endpoint security.
Zimperium is a trusted solution across the Federal landscape. Zimperium was the first mobile threat defense (MTD) provider to be granted an Authority to Operate (ATO) status from the Federal Risk and Authorization Management Program (FedRAMP). Further, the U.S. Department of Defense (DoD), through its Defense Information Systems Agency (DISA) and Defense Innovation Unit (DIU), selected Zimperium to deliver comprehensive Mobile Endpoint Protection (MEP) to service members around the world. Zimperium’s MTD solutions will protect DoD mobile endpoints against phishing, malicious/risky apps, OS exploits, and network attacks.
Zimperium’s advanced mobile threat defense solutions provide mobile endpoint security to enterprises and governments around the world. Built with advanced threat security in mind, Zimperium zIPS meets the mobile security needs of enterprises and governments around the world.