The cybersecurity slogan for zero trust is a simple one: Never trust, always verify. This slogan fits into the Department of Defense mindset, which is always focused on how to reduce risk, but it’s a challenge to apply it to the federal government’s largest agency. An important tool in pursuing zero trust is to implement microsegmentation – partitioning a network into small, isolated sections to reduce the attack surface in e...

The central premise of Office of Management and Budget Memo 22-09 laying out the Federal Zero Trust Strategy is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Controlling access is everything. This makes defining identity crucial – not just for people, but for every device of any kind that tries to access an agency system. The strongest form of identity management is attribute-ba...

Office of Management and Budget (OMB) Memorandum M-22-09 requires “agencies to achieve specific zero trust security goals” and designates “Identity” as the first of five pillars from CISA’s zero trust maturity model. Additionally, M-22-09 provides specific actions for the Identity pillar that include, employing centralized identity management systems that integrate with agency applications and platforms; leveragin...

One of the foundational tenets of zero trust architecture is Identity – providing credentials for every person and device – in order to manage access to government systems, whether entering from the outside or moving laterally from within. In other words, identity, credential and access management (ICAM) should be addressed as a whole, not as separate point solutions. This applies across all systems, all platforms, and all environm...

When the Cybersecurity and Infrastructure Security Agency (CISA) released its Zero Trust Maturity Model Version 2.0 in April, it identified access management as a core function within the Identity Pillar. Identity is the very first of five such pillars, and brings the need for privileged access management into clear focus. Identity is defined by CISA as “an attribute or set of attributes that uniquely describes an agency user or entity,...

It has been almost seven years since the White House issued Presidential Policy Directive 40, setting out the federal continuity policy “to maintain a comprehensive and effective continuity capability through Continuity of Operations (COOP), Continuity of Government (COG), and Enduring Constitutional Government (ECG) programs, ensuring the resilience and preservation of government structure under the United States Constitution and the co...

After decades of delay, cybersecurity has become a defining issue for the United States. In response, when the White House laid out its zero trust requirements in January 2022, it set an ambitious goal – that all agencies have their zero trust infrastructure in place before October 1, 2024. This is because of the reality of the digital age: a persistent threat environment is the norm in the IT world, and agencies have to assume they...

Cyber attacks are on the increase across all levels of government – and state and local governments are often targeted because they have fewer resources for security. For instance, an October 2022 survey found that more than half of state and local governments faced ransomware attacks in 2021, and just one in five organizations successfully stopped the attack. Strengthening the security and resilience of these agencies’ systems req...

With all of the components of Zero Trust, there are various models and theories that an organization can use to strengthen their cybersecurity practices. The CISA Zero Trust Maturity Model and the DoD Zero Trust Strategy are only two examples of frameworks that provide guidance on implementing Zero Trust security principles within an organization. Both models emphasize the steps it takes to achieve total Zero Trust, but they differ in some of...

The entire concept of zero trust can be boiled down to four words – never trust, always verify. But short, simple statements usually have a lot of moving parts to make them reality. When the Office of Management and Budget issued its Federal Zero Trust Strategy in January 2022, it set the end of Fiscal Year 2024 – September 30, 2024 – as the completion date for a host of cybersecurity standards and objectives to be completed...