Federal departments and agencies are making headway in meeting the requirements of Executive Order 14028, issued in May 2021, to strengthen their cybersecurity by implementing a zero trust architecture. To date, many agencies have made progress in areas like identity management and secure access. But the journey toward achieving a zero trust environment is different for every department. The challenges that civilian agencies must overcome are...

Adopting a zero trust policy has become imperative for agencies aiming to safeguard their digital assets against increasingly sophisticated threats. It represents a true paradigm shift, away from traditional perimeter-based security models to a more dynamic, trust-never always-verify approach. One critical part of implementing zero trust is managing digital identity – ensuring that access to resources is securely managed and continuously...

State and local governments had to adapt quickly to the effects of the pandemic, as workers and residents alike were encouraged to shelter in their homes. This created major challenges for agencies’ IT systems and technical support staff. Rather than using a “hub-and-spoke” method of connecting employees to servers, data, applications, and each other – where cybersecurity focused on firewalls around the perimeter ...

Cybersecurity has always contended with evolving threats. As the internet has become more embedded into social and economic life and smart phones, tablets and other handheld devices become ubiquitous, bad actors have devised new attacks to capitalize on new vulnerabilities. And just as agencies are implementing zero trust architecture to help with this wave, other IT developments are threatening to upend cybersecurity even more. For instance,...

The cat-and-mouse game between threat actors and cybersecurity professionals continued unabated in 2023, with new threats designed to avoid detection. Many of these threats are new takes on old ones, such as “leveling up” invoice fraud. And ransomware attacks are evolving; rather than encrypting victims’ data, they are straightforwardly stealing the information and extorting payment by threatening to post the info online or t...

Zero trust revolutionizes network security architecture because it is data-centric and designed to stop data breaches. While that is its primary purpose for government, it also increases agility for modern networks that traditional network designs can’t emulate. It has been almost two years since the Office of Management and Budget issued its federal zero trust architecture strategy, which set out specific goals for agencies to achieve b...

Ransomware, malware, phishing, DDoS, social engineering, zero-day exploit, botnets – the list of types of attacks out there is long enough to keep even the most seasoned cybersecurity expert awake at night. And with the increased use of remote computing, the cyber attack surface grows as more edge devices are added to networks. Creating a zero trust environment holds a lot of promise to provide significantly improved cybersecurity. In th...

The cybersecurity slogan for zero trust is a simple one: Never trust, always verify. This slogan fits into the Department of Defense mindset, which is always focused on how to reduce risk, but it’s a challenge to apply it to the federal government’s largest agency. An important tool in pursuing zero trust is to implement microsegmentation – partitioning a network into small, isolated sections to reduce the attack surface in e...

Cybersecurity is akin to the 20th century Cold War. On the one hand, bad actors – whether nation-states or common criminals – are constantly searching for new vulnerabilities and creating new tools to attack them. On the other, all government agencies and private sector companies are trying to remain alert and find new ways to fend off those attacks. Among the innovative ways agencies are responding to the ever-evolving threat land...

The central premise of Office of Management and Budget Memo 22-09 laying out the Federal Zero Trust Strategy is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Controlling access is everything. This makes defining identity crucial – not just for people, but for every device of any kind that tries to access an agency system. The strongest form of identity management is attribute-ba...