Once in a Career for Agencies, a Daily Experience for Partners
An agency might take on a project of this scale once every 20 or 30 years; industry partners focus on these issues every day across an array of customers. As a result, they know what questions will come up and how to answer them, and they know how to avoid the most common pitfalls.
Because they specialize in zero-trust transitions — and leave the responsibility of keeping the rest of the infrastructure running to the agency — it’s worth an agency’s time to ask for help. Massive organizational change requires integration with industry to provide the services needed; massive organizational change on a deadline requires even tighter integration.
Federal civilian agencies, with a deadline of Sept. 30, should be in their final stages by now. Defense agencies have until 2027.
CISA’s guidelines do include a zero-trust maturity model against which agencies can assess themselves. Many of the model’s pillars are already part of federal cybersecurity practices — for instance, many federal networks are already segmented and their traffic encrypted — and merely need to be rearranged to fit the new requirements. But some pillars may require more outside assistance than others.
DIVE DEEPER: Strengthen your agency’s cybersecurity and zero-trust practices.
Upgrading Identity Practices May Require the Most Assistance
The one posing the most challenges so far is the identity pillar. Identity, credential and access management and privileged access management were always required for federal agencies, but they were not emphasized in a traditional network security model the way that they are in a zero-trust model.
ICAM adjustments have an immediate and visible impact on the end-user experience; they change how a user enters the system. Think of it this way: Traditional security puts a bouncer at the door to check ID, and once you’re in the building, you’re in. With zero trust, there is no door, and the building has no walls. IDs must constantly be checked to make sure people are only where they’re supposed to be once in the building.
It’s a big shift, and figuring out who should have access to what information in the first place is a complex task. In addition, a new identity verification system will have to integrate with all of the agency’s technology; an agency-built system that may not integrate easily with commercial technology also creates roadblocks.
If an agency establishes ICAM right, the verification happens mostly behind the scenes. Some upfront aspects (multiple logins, for example) are still visible to the user, however, and any time you add extra steps to the user experience, you may get pushback.
READ MORE: Civilian agencies including OPM, GSA and SEC are implementing zero trust.
Zero Trust Is an Ongoing Project
In the end, even if an agency achieves full compliance with the CISA model, there’s no such thing as 100 percent security. There’s always something to do. Again, zero trust is neither a goal nor a box to check; it’s a cultural change. It’s a new way of viewing and approaching security, and every decision must be filtered through it.
That’s not easy to implement. Third-party specialists can sit down with an agency IT team, look at the environment and hand over a to-do list prioritized by how much the tasks cost, how critical the tasks are to operations and more.
Bringing in an outside observer who works on security and zero trust every day provides long-term benefits. It’s so much easier to have someone available to spot and solve problems before they emerge than to try to fix things after they break.
This article is part of FedTech’s CapITal blog series.