Section |
Task |
Agency Action Timeline (Deadlines Measured From Date of Issuance of This Memorandum) |
General |
Agencies must submit to OMB and CISA an implementation plan for FY22-FY24 for OMB concurrence, and a budget estimate for FY23-24. |
Within 60 days. |
Identity |
Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms. |
Include in agency implementation plan. |
Identity |
Agencies must require their users to use a phishing-resistant method to access agency-hosted accounts. |
Include in agency implementation plan. |
Identity |
Public-facing agency systems that support MFA must give users the option of using phishing-resistant authentication. |
Within one year. |
Identity |
Agencies must remove password policies that require special characters and regular password rotation from all systems. |
Within one year. |
Identity |
Agency authorization systems should work to incorporate at least one device-level signal alongside identity information about the authenticated user. |
Include in agency implementation plan. |
Devices |
Agencies must create ongoing, reliable, and complete asset inventories, including by leveraging the CDM program. |
Include in agency implementation plan. |
Devices |
Agencies must ensure their EDR tools meet CISA’s technical requirements and are deployed and operated across their agency. |
See M-22-01. |
Devices |
Agencies must work with CISA to identify gaps, coordinate on deployment, and establish information sharing capabilities with CISA, as described in M-22-01. |
See M-22-01. |
Networks |
Agencies must resolve DNS queries using encrypted DNS wherever it is technically supported. |
Include in agency implementation plan. |
Networks |
Agencies must enforce authenticated HTTPS for all production HTTP traffic, including traffic that does not cross the public internet. |
Include in agency implementation plan. |
Networks |
Agencies must work with the DotGov program at CISA to “preload” agency-owned .gov domains as HTTPS-only in web browsers. |
Include in agency implementation plan. |
Networks |
Agencies must develop a zero trust architecture plan that describes how the agency plans to isolate its applications and environments, in consultation with CISA, and include it in the full implementation and investment plan required by this memorandum. |
Include in agency implementation plan. |
Applications and Workloads |
Agency system authorization processes must employ both automated analysis tools and manual expert analysis. |
Include in agency implementation plan. |
Applications and Workloads |
Agencies must welcome external vulnerability reports for their internet-accessible systems. |
September 2022, consistent with OMB M-20-32 and BOD 20-01. |
Applications and Workloads |
Agencies must select at least one FISMA Moderate system that requires authentication and is not currently internet-accessible, and securely allow full-featured operation over the internet. |
Within one year. |
Applications and Workloads |
Agencies must begin providing CISA and GSA any non-.gov hostnames used by their internet-accessible information systems. |
Within 60 days. |
Applications and Workloads |
Agencies should work toward employing immutable workloads when deploying services, especially in cloud-based infrastructure. |
Include in agency implementation plan. |
Data |
Agency Chief Data Officers must work with key agency stakeholders to develop a set of initial categorizations for sensitive electronic documents within their enterprise, with the goal of automatically monitoring and potentially restricting how these documents are shared. |
Within 120 days. |