OMB Memorandum M-22-09:
Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.
On January 26, 2022, the Office of Management and Budget (OMB) published M-22-09 Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.
M-22-09 sets out activities that agencies need to undertake to meet the requirements under Executive Order (EO) 14028 Improving the Nation’s Cybersecurity. Under M-22-09, agencies need to achieve specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024.
Understanding where mobile threat defense (MTD) completes the zero trust framework requirements under the OMB Memorandum provides insight into how agencies can establish robust security.
M-22-09 aligns with the Cybersecurity and Infrastructure Security Agency (CISA) maturity model. Of the five pillars listed, MTD fills in the gaps around mobile device security under three key areas.
At a high level, M-22-09 defines the following three pillars where MTD provides the security needed to ensure a robust approach to zero trust security by incorporating mobile devices:
As Federal Civilian Executive Branch (FCEB) agencies continue to support remote work, more workforce members will be using their mobile devices. CISA’s draft Zero Trust Maturity Model (ZTMM) highlights mobile devices and bring-your-own-device (BYOD) as assets under the Devices pillar.
For mobile devices, many of the current solutions lack the ability to:
MTD fills these gaps, augmenting current security tools so that FCEB agencies can achieve the goals set forth in M-22-09.
Endpoint detection and response (EDR) is fundamental to a successful zero trust framework implementation. M-22-09 touches on the need for EDR tools. However, going into detail would be repetitive within this Memorandum. Therefore, M-22-09 references the October 2021 M-22-01 Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Systems Through Endpoint Detection and Response.
M-22-01 states:
EDR combines real-time continuous monitoring and collection of endpoint data (for example, networked computing devices such as workstations, mobile phones, servers) with rules-based automated response and analysis capabilities…EDR provides the increased visibility necessary to respond to advanced forms of cybersecurity threats, such as polymorphic malware, advanced persistent threats (APTs), and phishing. Moreover, EDR is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector for cyber threats.
As FCEB agencies look to meet these EDR requirements, they need to consider solutions that address any networked computing devices. M-22-01 specifies mobile phones. However, it’s important to remember that any device with a mobile operating system must fall into this category.
Additionally, M-22-09 highlights that FCEB agencies need to maintain a diversity of different EDR tools. Under this directive, OMB appears to recognize that traditional EDR technologies, including mobile device management (MDM), may need to be augmented to ensure continuous mobile device security.
EDR and MDM provide several benefits as FCEB agencies. EDR monitors device activity, automates responses, and prevents risky devices from connecting to networks. MDM tracks location, access, and device security.
At the same time, they also leave gaps when moving to a zero trust security model as required by the OMB memo.
EDR solutions lack the ability to:
On the other hand, MDM tools are unable to detect and resolve issues associated with:
MTD is often referred to as “Mobile EDR” and meets the spirit of EDR recommendations from NIST, CISA, and OMB.
With MTD, agencies achieve the necessary mobile device integrity attestation necessary for a complete approach to zero trust. The zIPS intrusion prevention system agent deploys to a device then:
Creating a complete endpoint security technology stack should incorporate MTD to ensure that the unique risks arising from mobile devices are addressed as part of a zero trust framework.
M-22-09 also incorporates application security testing as part of achieving a successful zero trust framework implementation.
The Memorandum notes:
For Federal applications to withstand sophisticated probing and attack, agencies need to go beyond implementing and documenting security controls. To gain confidence in the security of their systems, agencies must analyze their software and its deployed functionality with a comprehensive and rigorous approach, whether their software is built internally or by a contracted vendor.
Although not specified, mobile applications should be considered part of the implementation. Using an MDM tool offers some capabilities. However, for a complete implementation, agencies also need to consider where MTD fits.
With MDM, users download an agent to their devices then the MDM server updates configurations, applications, and policies over the internet. MDM lacks the ability to separate user and agency data, creating privacy risks for agencies using it to secure mobile devices.
Additionally, MDM offers rudimentary device-trust assessments against known threat approaches like jailbreaks and outdated operating systems. However, it lacks the rigorous approach required by M-22-09 because it fails to detect and resolve issues associated with advanced threats, mobile phishing attacks, device health, particularly in real-time, cloud application security, and malicious applications downloaded from untrusted sources.
Mobile Threat Defense solves these problems, giving agencies a way to ensure appropriate security and user privacy.
MTD runs locally on mobile devices to ensure end-user privacy. MTD provides the following security and privacy capabilities:
MTD enables the rigorous app testing required by monitoring all applications, including those downloaded by users that would remain unmanaged otherwise.
When deploying MTD in combination with other app security technologies, agencies gain the comprehensive application risk and vulnerability monitoring needed for a comprehensive zero trust framework implementation.
Every zero trust framework best practice suggests that agencies need to incorporate artificial intelligence (AI) and machine learning (ML) technologies as part of their zero trust framework strategies.
M-22-09 is no different. The Memorandum states:
Agencies should strive to employ heuristics rooted in machine learning to categorize the data they gather, and to deploy processes that offer early warning or detection of anomalous behavior in as close to real-time as possible throughout their enterprise.
Using automated solutions provides the real-time threat detection and response capabilities needed to ensure a successful zero trust framework implementation.
EDR automates detection and response capabilities, but it primarily focuses on traditional devices, like workstations.
EDR uses AI/ML to identify threats and protect from having them execute on endpoints. However, they still fail to protect from threats:
Meanwhile, MDM often fails to provide the real-time visibility needed.
Where EDR and MDM create security gaps, MTD offers the AI/ML capabilities for a complete zero trust security framework deployment. MTD provides:
FCEB agencies need to meet the OMB’s goals by the end of FY 2024, but a zero trust framework requires multiple, integrated solutions across all five pillars that CISA outlines.
MTD is critical to securing mobile devices, providing the visibility into threat and risk postures that impact overall user and device attestation necessary for successfully implementing ZTA. Zimperium augments an agency’s IDM, EMM/MDM, and CASB, integrating critical data collection and advanced mobile endpoint security.
Zimperium is a trusted solution across the Federal landscape. Zimperium was the first mobile threat defense (MTD) provider to be granted an Authority to Operate (ATO) status from the Federal Risk and Authorization Management Program (FedRAMP). Further, the U.S. Department of Defense (DoD), through its Defense Information Systems Agency (DISA) and Defense Innovation Unit (DIU), selected Zimperium to deliver comprehensive Mobile Endpoint Protection (MEP) to service members around the world. Zimperium’s MTD solutions will protect DoD mobile endpoints against phishing, malicious/risky apps, OS exploits, and network attacks.
Zimperium’s advanced mobile threat defense solutions provide mobile endpoint security to enterprises and governments around the world. Built with advanced threat security in mind, Zimperium zIPS meets the mobile security needs of enterprises and governments around the world.