Security

How to Get Your Agency Started on the Journey to Zero Trust in 2022

Agency IT leaders should take this opportunity to plan and start deploying pilot projects as they move to zero-trust architectures.

Marty Spain

Marty Spain is CDW•G's Director of Federal Services & Solutions, and leads a team of energetic problem solvers and creative thinkers to support some of the most complex national security systems.

On Jan. 26, the Office of Management and Budget issued the government’s finalized strategy directing agencies to transition to zero-trust architectures for cybersecurity.

Within 30 days, agencies need to designate and identify zero-trust strategy implementation leads. Within 60 days, they must build upon their existing zero-trust implementation plans by incorporating the additional requirements in the final strategy, then submit the revised plans to the OMB and the Cybersecurity and Infrastructure Security Agency.

The plan still calls for agencies to meet specific goals by the end of fiscal year 2024 around five pillars CISA has laid out around identity, devices, networks, applications and workloads, and data. FCW also notes some key differences from the draft policy issued last fall:

One big adjustment is the planned elimination of rotating passwords with special characters within one year. The policy also calls for the authentication of users via connected devices and the use of phishing-resistant authentication on public facing systems that support multifactor authentication.

The new requirements also include encrypting DNS requests and HTTP traffic, while subjecting all applications to rigorous testing and vulnerability assessments. The memo also flags some specific stumbling blocks to better agency cybersecurity, including the reliance on virtual private networks for application authentication and the continued use of unsecured intranets inside the dot-gov domain.

It’s obviously good that agency IT and cybersecurity leaders have a clear roadmap to follow. The challenge, at this point, is knowing where to start, since transitioning to zero trust is not a simple process and cannot be achieved by simply purchasing new security tools.

Federal IT leaders need to take steps now to identify their objectives and their conceptual security model under zero trust, and then start conducting pilots to get the ball rolling.

Click the banner to get access to customized content on cybersecurity by becoming an Insider.

Getting Started with an Implementation Plan for Zero Trust

There’s a lot to think about and sort through in the shift to zero trust. IT leaders should start by having honest conversations with themselves and their internal teams to really define what zero trust means to them, because it will change from agency to agency. What types of data are they looking to secure? What types of security concerns need to be addressed?

After answering those questions, IT leaders can start building a conceptual security model for what zero trust should look like within the agency.

From there, IT leaders can start conducting proofs of concept and pilot programs related to the different pillars of zero-trust security laid out in the OMB strategy document, likely starting with identity, a foundational element of any plan.

These pilots should answer several questions: Does the system or tool work? How complex is it to deploy at a small scale? Does it meet the security goals the agency has spelled out?

This can help leaders assess whether it’s feasible to roll out the tool or process to the entire agency or whether they need to revise the goals and objectives they had previously defined. It also may require bringing in additional capabilities from trusted third parties.

A key question IT leaders should ask at this point, in consultation with their counterparts in the CFO’s office, is what it would cost to implement the pilot at scale. That will help determine how much budget needs to be allocated and what the overall architecture will look like.

The finalized OMB plan says agencies should submit, within 60 days, a budget estimate for fiscal year 2024 and should “internally source funding in FY22 and FY23 to achieve priority goals, or seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund.”

It’s not feasible for an agency to flip a switch and implement zero trust, which is why things need to start small. A change that is too abrupt will likely cause unacceptable disruptions to mission objectives.

That’s why limited rollouts that are tested and evaluated should be the name of the game. They can be scaled up piece by piece. IT leaders should also be flexible as technology changes and agency missions evolve, as rigid implementation plans have a propensity to fail.

How to Avoid Stumbling Blocks on the Road to Zero Trust

The first phase of this journey is likely going to involve a lot of stops and starts and do-overs as IT and cybersecurity leaders seek to identify any problems with pilots. That’s why it’s important not to rush the initial planning phase of testing and validating solutions relative to agency objectives.

That will help agencies avoid the problem of scrapping a solution and asking for more money down the line. Measure twice, cut once.

The shift to zero trust is not going to be easy, and it all needs to happen within the next 32 months. Policymakers at OMB and CISA will need to enforce the strategy and make sure agencies are following through, but they will also need to work with Congress to ensure agencies have enough funding to successfully make the transition to zero trust. That includes evaluating proofs of concept so that agencies can put together plans that are both realistic and financially feasible.

Other challenges will likely crop up along the way. IT staff with institutional knowledge may leave or be thinking of leaving for the commercial sector. Agencies should do whatever they can from a compensation perspective to hold on to such valuable employees for as long as they can.

EXPLORE: Create a zero-trust environment among users as well as on your network.

Many federal offices are still largely empty as users work remotely. This affords IT leaders with the opportunity to test zero-trust capabilities without causing too much disruption to onsite operations. They should use this time wisely to test pilot projects, with users switching to telework if necessary.

Things will get tricky once it’s time for agencies deploy these solutions in their data centers. That will likely be the slowest part of the implementation, and deployments will need to be done in blocks.

CIOs, CISOs and CTOs should not wait to engage industry as they shift to zero trust. Now is the time to get ahead of any problems. This transition will likely be more complex and difficult than they think.

The sooner IT leaders start collaborating with commercial partners and talking about the unique challenges their agencies face, the less likely it will be that they will run into significant challenges later on.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.