The challenge with this EO and all aspirational security pronouncements is their focus on outcomes while avoiding implementation details, trade offs and resources.
It’s as if nobody asked WHY zero trust and MFA are not already pervasive in the Federal Government. Legacy systems are going to be incredibly difficult and expensive to rearchitect for ZTA. Despite HSPD-12 (CAC and PIV authentication and access) being over a decade old, some parts of government refuse to use a smart card plus password for MFA. I wonder why? It is not simply because “government doesn’t understand computers.” The core issue is leadership. There is no benefit for executives to point out the constraints, like usability, cost or talent, that ensure that good ideas in principle will be adopted incorrectly and incompletely.
That said, there is some stuff worth cheering. The CSRB is much overdue and the elevation in status of cybersecurity as a critical function is directionally correct.
Much of whether these aspirations will be possible hinges on legislative budget decisions and ultimately sweeping reform of the government hiring system.
The order covers exactly what it should: these are the outcomes we want, make them happen. It's silly to assert that an executive order from the president would lay out how all the different agencies in the government will adopt Zero Trust, MFA, or other things. This is the kick in the pants, now the agencies are on the hook for doing them. I appreciate your point that it will be hard to accomplish, but that doesn't really let them off the hook I don't think.
> The order covers exactly what it should: these are the outcomes we want, make them happen.
No, it doesn't. "Zero-trust architecture" is not an outcome - it's an means to the actual outcome, which is "lack of breached systems/successful cyberattacks".
It’s as if nobody asked WHY zero trust and MFA are not already pervasive in the Federal Government. Legacy systems are going to be incredibly difficult and expensive to rearchitect for ZTA. Despite HSPD-12 (CAC and PIV authentication and access) being over a decade old, some parts of government refuse to use a smart card plus password for MFA. I wonder why? It is not simply because “government doesn’t understand computers.” The core issue is leadership. There is no benefit for executives to point out the constraints, like usability, cost or talent, that ensure that good ideas in principle will be adopted incorrectly and incompletely.
That said, there is some stuff worth cheering. The CSRB is much overdue and the elevation in status of cybersecurity as a critical function is directionally correct.
Much of whether these aspirations will be possible hinges on legislative budget decisions and ultimately sweeping reform of the government hiring system.