Jun 28 2022

Federal Agencies’ Zero-Trust Journey Is Underway. Now What?

New styles of training and new tech skills will be part of the plan.

In the year since the White House issued its executive order outlining a mandatory zero-trust security strategy for the federal government, agencies have begun to formulate their plans for modernizing their cyberdefenses.
Federal CISO Chris DeRusha told a House committee in May that agencies have submitted their initial implementation plans, which are being vetted by the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency.
“We want to make sure that they’re solid plans, that they’re achievable and they have the right investment requests behind them,” DeRusha told the committee. “That’s how we’re going to track progress. We’re going to hold them accountable to those plans.”
Agencies have until Sept. 30, 2024, to get those plans in place. We’ve already looked at what steps they need to take to get zero trust started. So what happens next?
Zero trust is an entirely different security environment, less dependent on firewalls and containment than it is on identity and prevention. With zero trust, no one accesses the network unless they can prove that they belong there — neither the newest college intern nor the Secretary.

Click the banner and get the details on how to become an Insider.

Choose an Easy Project to Begin Zero-Trust Implementation

While agencies wait for their implementation plans to be approved, they can sort out the specifics of where they want to begin. It’s going to be simple: Start with the easy stuff, and save the more difficult things for last. Zero trust is a journey, and there’s a lot of assessment and preparation that needs to happen to make it successful.
For example: Where’s your oldest legacy IT? Where are the systems that can never go down? Avoid those until the end of the zero-trust process. You don’t want to experiment with new and complex security procedures on your most vulnerable or most vital equipment.
Instead, does your agency have an existing test environment within your data center? That’s a low-risk place to start. Or try your newest applications — those will be the easiest to integrate with modern zero-trust technology.
Take the lessons learned from those relatively simple deployments — as well as from any unexpected obstacles or limitations that you may have identified along the way — and you will learn how to solve the issues that come up with more complicated processes. Zero trust is a continuously evolving architecture; both the technology and your workers’ skill set will improve over time.
That brings us to the next phase of preparation for zero trust: training the workforce.
This is more than just teaching people how to log in through a new security system. It’s a cultural change, not just for the individuals on the ground, but also for the policymakers who need to decide what technologies to adopt to implement zero trust in the first place. 
Agencies need to develop a model that allows everyone who touches the technology throughout its lifecycle to work together on everything from implementation to operation and administration changes.
READ MORE: CDW has more solutions for zero-trust deployment.

Coding Will Become a Key Skill for Federal IT Workers

Fortunately, the federal government has been adopting more of a DevSecOps mindset, making all of this far more doable. Even the most solid zero-trust environment will undergo transformation — it’s born to be agile. Every few years, something will have to be updated, adapted or completely changed. 
One of the reasons this will happen is that zero-trust security is based more on software than hardware and devices, triggering a more rapid evolution of capabilities; it’s just patching and updating software rather than buying and installing new hardware.
However, that means reconfiguring old code or writing new code, and that requires a workforce with somewhat different skills than current federal IT staff may possess. A zero-trust architecture impacts everything on the network, which is no longer as siloed as it may have been with more traditional security measures.
Also, the architecture differs depending on the agency. There’s no technical standard for zero trust — no owner’s manual, no Zoom classes — just the requirement that those using the network can prove that they belong. Older, more segmented systems can be worked on with low impact. But because a zero-trust network is so integrated, the impact of a mistake is much higher.
The best way to learn how to maintain such a system, because systems will be specific to agencies, is simply to practice. Agencies must invest in a dedicated area where their IT staff can train, separate from what is needed for production. They’ll eventually have to understand networking, virtualization, storage and servers, and how to write code to tie all the security implementations together and make it function. 
That will be a common skill set in 10 or 15 years, but right now, such workers are unicorns.
LEARN MORE: What are the facts and fallacies surrounding zero trust?

With Zero Trust, Change Is Permanent

Some of the skills issues will become less urgent as zero trust becomes entrenched, but keeping those abilities sharp will always be necessary. New layers of security may be added down the line; the concept itself may evolve. A new burst of technology may appear with even more new skills to learn.

It’s a safe bet that technology vendors will invest in solutions that tie into a zero-trust framework, especially for the next three to five years as the federal government builds out its architecture. The learning curve will probably stabilize for a bit after that, just in time for everything to change again.

Patience is key. We can’t express enough how important it is for agencies to plan what they’re trying to do, define their objectives and do a proof of concept that vets the technology and assesses its capabilities within their own environment. 

There isn’t one vendor who has an end-to-end solution. Anyone who’s trying to take the easy route — buying a “complete” solution without testing and validating it — is in for some disappointment. 

So, take your time. Do the assessments and properly define what you’re trying to achieve. Then you’ll have a much higher probability of success. 

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

hernan4429/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT