The Government Accountability Office says the U.S. Secret Service needs to update its zero trust cybersecurity implementation plan. On the whole however, the government watchdog acknowledged Secret Service’s progress in this area.
A zero trust architecture (ZTA) is a set of cybersecurity principles stating that organizations must verify everything that attempts to access their systems and services. The principle of zero trust is based on the concept that no actor operating outside or within an organization’s network should be trusted. ZTA embeds comprehensive security monitoring, granular risk-based access controls, and system security automation in a coordinated manner throughout all aspects of the infrastructure.
The federal government has begun efforts to use ZTA. Since 2020, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) have issued direction and guidance to federal agencies on the use of ZTA. In addition, the Cybersecurity and Infrastructure Security Agency in 2021 issued a draft roadmap on transition to ZTA, and the 2022 National Defense Authorization Act directed the Department of Defense to develop a zero trust strategy and a model architecture.
The U.S. Secret Service has developed an implementation plan for four milestones intended to support ZTA. The milestones are: perform a self-assessment of the agency’s IT environment against federal guidance; implement cloud service offerings from a vendor; achieve maturity in event logging; and transition the agency’s IT infrastructure to a more advanced internet protocol.
GAO found that Secret Service completed a self-assessment, and made progress in implementing cloud services and achieving maturity in event logging. In addition, the agency had a plan to implement a more advanced internet protocol, but had not met longstanding OMB requirements for public-facing systems. By transitioning to this protocol, GAO says the agency can leverage additional security features.
At the time of GAO’s performance audit (October 2021 to November 2022), Secret Service had additional efforts underway that could address actions specified in OMB’s zero trust strategy issued in January 2022. This strategy outlines actions that agencies are to take by the end of fiscal year 2024. However, GAO said Secret Service’s plan milestones do not cover all of OMB’s required actions because Secret Service developed its implementation plan before OMB issued the strategy. Nevertheless, the audit found that Secret Service either had efforts underway, or reported that it intended to perform activities that could cover the remaining actions.
It is also worth noting here that in March 2022, the Department of Homeland Security (DHS) developed its own ZTA implementation plan and submitted it to OMB. DHS plans to continue to build on its implementation plan per OMB requirements. For example, it intends to use an integrated project team to include components, such as Secret Service, in its planning processes to incorporate ZTA enterprise-wide.
NIST maintains that resources, applications, and services that are primarily cloud-based or primarily used by remote workers are good candidates for a ZTA approach. GAO found that Secret Service has begun to, and plans to further implement a cloud service provider’s offerings. For example, the agency had integrated its cloud-based authentication service with on-premises authentication processes to synchronize and manage user accounts across its IT environment. The agency also plans to deploy tools to leverage a cloud-based solution that should enable management of user and device identities using non-graphical user interfaces, such as scripts and command line tools. In addition, as of April 2022, Secret Service had plans in place to implement a component from its cloud services provider intended to support encryption of data at rest in the cloud.
In order to implement ZTA, agencies must have accurate, extensive, and timely event logging in place so that they can monitor, review, and analyze their assets in real time and forensically in the case of an event. GAO found that as of August 2022, Secret Service had not yet achieved the basic level of event logging maturity according to its plans, although the agency had implemented a tool for centralized logging, monitoring, review, and analysis. Officials cited administrative issues for a delay in using the tool and said it was likely to be in place before the end of the year.
In line with OMB and DHS guidance, Secret Service has plans to transition to Internet Protocol version 6 (IPv6), which among other benefits, provides federal agencies with a greater assurance of a sender’s identity. Secret Service’s May 2021 strategy outlines milestones and projected costs associated with transitioning up to 80 percent of its assets to IPv6. However, GAO found that as of August 2022, Secret Service had not begun the implementation process to support the transition to IPv6 for any of its assets or services. GAO’s report states that “Secret Service public email servers did not accept IPv6 email, and did not have IPv6 operationally enabled, although OMB required agencies to do so by the end of FY 2012. As a result, Secret Service could not accept internet email via IPv6, forcing external IPv6-enabled email systems to resort to IPv4 connectivity to deliver email to Secret Service.” In addition, GAO found that as of August 2022, Secret Service had not configured eight public-facing systems to operationally use IPv6. “Because of this, the agency could not accept external IPv6 connections to the systems it lists as public-facing,” the report notes. “This forced external IPv6-enabled clients to fall back to IPv4 connectivity to connect to the systems.”
Officials told GAO that constraints prevented the agency from providing funds for the personnel and equipment required to transition assets to IPv6. In August 2022, the officials added that they had received funding and were in the process of obligating the funds for execution of their plan.
GAO has made two recommendations to Secret Service. First to implement outstanding Office of Management and Budget requirements for transitioning to IPv6, particularly in regard to upgrading its public-facing systems, which Secret Service said it is working to achieve by September 30, 2025. And second, to update its ZTA implementation plan to include all efforts associated with the transition to ZTA, which Secret Service said it expects to do before the end of the year.
