Zero Trust is a logical evolution of security in a world where remote access to networks and applications is more common than being on-site with an organization's data center. From cloud applications to the explosion of remote work, the traditional "castle and moat approach" simply does not scale or protect networks that are constantly being accessed by outside users.
The Executive Order on Improving the Nation's Cybersecurity (Cyber EO) has a strong emphasis on moving government toward a Zero Trust approach for security. It laid out deadlines for agencies to submit plans for implementing Zero Trust architectures, holding organizations accountable for changing how they allow users to access their systems.
Defining the Path to Zero Trust
Following the Cyber EO, several pieces of guidance have been published to help agencies navigate the journey to Zero Trust. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) developed a Zero Trust Maturity Model that defined the core pillars of Zero Trust and the technologies/systems needed to meet Zero Trust guidance. The five key pillars are:
- Application Workload
Underpinning these pillars to enable management of Zero Trust are visibility and analytics, automation, and governance.
Agencies were provided with even more specific direction when the Federal Zero Trust Strategy was released in January 2022. This document provided a definition of what Zero Trust means in practice for government entities and set specific cybersecurity standards and objectives that agencies must meet by the end of Fiscal Year (FY) 2024. Aligning with the CISA pillars, the memo outlines the vision for what organizations should achieve in relation to each pillar as well as specific actions that will get them to that vision.
Hitting the Ground Running
The Defense Information Systems Agency (DISA) recently awarded a contract for a prototype Zero Trust architecture. Nicknamed Thunderdome, this project will provide operational testing for the agency's zero trust reference architecture. From there, the agency will work on an implementation strategy that will modernize how DISA systems, services, and data are accessed.
DoD's Transportation Command (Transcom) will be implementing a Zero Trust security model on its classified networks in the coming months. The implementation will help the agency further modernize its logistics efforts, being able to better utilize cloud computing services.
Paying for Zero Trust
Of course, Zero Trust does not mean zero cost. There is a price associated with implementing new tools and the integration of existing tools. These have to be built into future budgets, but for now agencies are looking for ways to meet the requirements of the EO within budgets that were defined before the focus on Zero Trust was codified. Moving forward, Zero Trust is more of an enterprise effort which is a different budgeting exercise than the traditional siloed spending on security.
GovEvents and GovWhitePapers offer a number of resources to help agencies on their Zero Trust journey.
- Zero Trust: The Fundamentals (April 21, 2022; virtual) - This virtual workshop will focus on the fundamental aspects of a true Zero Trust security posture and the critical steps agencies need to take to work toward compliance with the various guidance.
- Efficiently Improve Your Cloud Security Posture (April 26, 2022; webinar) - As cloud adoption has become more popular, cyber criminals have adapted, pushing agencies to strengthen their security posture with a Zero Trust approach. Taking actionable steps to enhance security shouldn't be an overwhelming drain on resources or time. This event features practical advice for improving cloud security.
- Fireside Chat: Aligning ICAM, the Executive Order & Zero Trust (May 4, 2022; webinar) - The Executive Order on Cybersecurity has moved the term "Zero Trust" from a buzzword to a much-needed baseline for action planning around how we secure agency data and systems. Join government security experts for a panel discussion to understand why Privileged Access Management (PAM) is essential to major DoD initiatives like ICAM, Thunderdome, and Zero Trust, how ICAM supports the Executive Order, the Defense Department's outlook on data-centric security and defending agency systems, and more.
- FCW Workshop: Zero Trust Marching Orders and Milestones (May 4, 2022; hybrid event) - At this event, executives from government and industry will explore best ways to meet Zero Trust requirements laid out by the OMB, lessons learned from other agencies, as well as pointers to resources available through shared services and new procurement and contracting opportunities.
- Zero Trust and Your Agency: What It Will Take to Put Theory Into Practice (May 18, 2022; webinar) - While a more robust security model is essential to reinforce the government's defenses against increasingly sophisticated and persistent threat campaigns, many questions have arisen, such as what does Zero Trust look like in practice? What is a good area in the agency to start this transition? How can I implement Zero Trust with minimal impact on my users? What does this mean for our digital workplace collaboration? This event looks to address these questions and more.
- ACT-IAC Zero Trust Report: Lessons Learned from Vendor and Partner Research (white paper) - The concepts and components of Zero Trust have caught the eye of federal agencies seeking to implement least privileged access principles. However, a lack of understanding and confidence with Zero Trust Architectures (ZTA) may be slowing progress. This paper documents the efforts to enhance understanding of and confidence with Zero Trust.
- Preparing Federal IT for a Zero Trust Architecture (white paper) - In a recent roundtable panel, distinguished participants from both federal agencies and industry shared best practices to help agencies and their partners in industry respond to the challenge of adopting a Zero Trust model. Read about the shared successful strategies and other conversation highlights from this roundtable discussion.