Getting Started with an Implementation Plan for Zero Trust
There’s a lot to think about and sort through in the shift to zero trust. IT leaders should start by having honest conversations with themselves and their internal teams to really define what zero trust means to them, because it will change from agency to agency. What types of data are they looking to secure? What types of security concerns need to be addressed?
After answering those questions, IT leaders can start building a conceptual security model for what zero trust should look like within the agency.
From there, IT leaders can start conducting proofs of concept and pilot programs related to the different pillars of zero-trust security laid out in the OMB strategy document, likely starting with identity, a foundational element of any plan.
These pilots should answer several questions: Does the system or tool work? How complex is it to deploy at a small scale? Does it meet the security goals the agency has spelled out?
This can help leaders assess whether it’s feasible to roll out the tool or process to the entire agency or whether they need to revise the goals and objectives they had previously defined. It also may require bringing in additional capabilities from trusted third parties.
A key question IT leaders should ask at this point, in consultation with their counterparts in the CFO’s office, is what it would cost to implement the pilot at scale. That will help determine how much budget needs to be allocated and what the overall architecture will look like.
The finalized OMB plan says agencies should submit, within 60 days, a budget estimate for fiscal year 2024 and should “internally source funding in FY22 and FY23 to achieve priority goals, or seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund.”
It’s not feasible for an agency to flip a switch and implement zero trust, which is why things need to start small. A change that is too abrupt will likely cause unacceptable disruptions to mission objectives.
That’s why limited rollouts that are tested and evaluated should be the name of the game. They can be scaled up piece by piece. IT leaders should also be flexible as technology changes and agency missions evolve, as rigid implementation plans have a propensity to fail.
How to Avoid Stumbling Blocks on the Road to Zero Trust
The first phase of this journey is likely going to involve a lot of stops and starts and do-overs as IT and cybersecurity leaders seek to identify any problems with pilots. That’s why it’s important not to rush the initial planning phase of testing and validating solutions relative to agency objectives.
That will help agencies avoid the problem of scrapping a solution and asking for more money down the line. Measure twice, cut once.
The shift to zero trust is not going to be easy, and it all needs to happen within the next 32 months. Policymakers at OMB and CISA will need to enforce the strategy and make sure agencies are following through, but they will also need to work with Congress to ensure agencies have enough funding to successfully make the transition to zero trust. That includes evaluating proofs of concept so that agencies can put together plans that are both realistic and financially feasible.
Other challenges will likely crop up along the way. IT staff with institutional knowledge may leave or be thinking of leaving for the commercial sector. Agencies should do whatever they can from a compensation perspective to hold on to such valuable employees for as long as they can.
Many federal offices are still largely empty as users work remotely. This affords IT leaders with the opportunity to test zero-trust capabilities without causing too much disruption to onsite operations. They should use this time wisely to test pilot projects, with users switching to telework if necessary.
Things will get tricky once it’s time for agencies deploy these solutions in their data centers. That will likely be the slowest part of the implementation, and deployments will need to be done in blocks.
CIOs, CISOs and CTOs should not wait to engage industry as they shift to zero trust. Now is the time to get ahead of any problems. This transition will likely be more complex and difficult than they think.
The sooner IT leaders start collaborating with commercial partners and talking about the unique challenges their agencies face, the less likely it will be that they will run into significant challenges later on.