Jul 09 2021

How Will Agencies’ Zero-Trust Strategies Come into Focus?

Federal agencies have been mandated to adopt a zero-trust architecture, but officials say it will take time and a concerted effort.

President Joe Biden’s May 12 executive order on cybersecurity mandates that agencies move to adopt a zero-trust architecture for cybersecurity, and federal IT and cybersecurity officials say they see a real momentum behind the shift. However, they caution, it will take time, money and intense focus to make that reality.

The executive order requires that by July 11, agency heads develop a plan to implement a zero-trust architecture, incorporating as appropriate the migration steps that the National Institute of Standards and Technology has laid out. Agency heads need to describe the steps already completed to move to zero trust, identify activities that will have the most immediate security impact and include a schedule to implement them.

Matt Hartman, deputy executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in late June that the order, while focused on short-term objectives, will also lay the groundwork for long-term strategy shifts, including on zero trust.

Speaking at the American Council for Technology and Industry Advisory Council’s Homeland Security and Law Enforcement Forum on June 30, he said agencies should be able to make “meaningful progress” on implementing zero trust over the next three years.

“The administration fully recognizes that many of the core issues that are being addressed will only be solved through years — literally years of focus and continued investment,” he said, according to Federal News Network. “That’s my sense, that as we hit the end of the 90-day EO timeline, we will have many enduring plans with additional milestones that the White House, OMB, CISA and others will continue driving for the next several years, for the duration of this administration.”

CISA, Other Agencies Aid Zero-Trust Transition

CISA and other agencies are working together to help the entire government shift to zero trust, which focuses less on perimeter network security and more on data security and granular access control and permissions. Zero trust treats everything on the inside of the agency network as just as untrusted as everything on the outside of the network.

CISA has developed a zero-trust maturity model in recent weeks for agencies to help them determine progress across five pillars: identity, device, network, application workload and data. A CISA representative tells FCW there is “nothing to share publicly at this time” on the zero-trust maturity model document.

Over time, Hartman said, agencies will automate security across those pillars via continuous validation and real-time machine learning analytics. “As agencies will transition toward optimal zero trust implementations, their solutions will become more automated, they’ll fully integrate across pillars, and they’ll become more dynamic in their policy enforcement decisions,” he said.

The White House had started working with CISA and other relevant agencies ahead of the May 12 order to develop new guidelines on cybersecurity, according to FCW. Hartman said at the ACT-IAC panel that the interagency collaboration is essential to helping agencies make progress on cybersecurity, especially for those that had not put zero trust on their radars.

National Security Council Director for Cyber Incident Response Iranga Kahangama said the order is an overarching document that clearly spells out the White House’s desire to see agencies adopt zero trust and other cybersecurity enhancements.

“I think we realized with the federal government and its complexity, it’s going to take a winding path for each agency,” he said, according to FCW. “But what we wanted to do was really send a signal to the whole bulk of government and to industry that this is where we’re going.”

Deputy Federal CIO Maria Roat has also said that the administration’s continued push to get agencies to switch to IPv6 will also help aid the move to zero trust.

“By providing end-to-end network paths and better support of microsegmentation, the transition to IPv6-only is going to be a key component of zero-trust architecture — which is one of the key pillars of the executive order,” Roat said during the IPv6 Summit hosted by the General Services Administration in mid-June, according to FedScoop.

RELATED: What elements are needed to make zero trust a reality?

matejmo/Getty Images