Security

Expert Guides for the Zero-Trust Journey Can Ease an Agency’s Workload

Federal IT staffers seek help synthesizing the knowledge needed to implement new security plans.

Matt Richbourg is a Senior Security Architect for CDW•G.

Ever since the White House issued its 2021 executive order requiring all federal agencies to move to zero-trust environments to strengthen government cybersecurity, the Cybersecurity and Infrastructure Security Agency has been dispensing helpful guidance on how to reach that goal.

Agency IT officials appreciate and value the information. But the Center for Strategic and International Studies notes in a 2023 report that agencies could use specific, hands-on assistance on zero-trust development from subject matter experts as well.

“This suggestion raises a few questions,” write the authors of “CISA’s Evolving .gov Mission.” “Does CISA has the capacity to offer this type of service? And if not, is it their job to find a way to do so given their role as the designated lead for federal network security?”

Maybe not. CISA offers high-level guidance; the agency isn’t providing tactical, actionable game plans. Over and over, the zero-trust mantra has been, “It’s a journey, not a destination,” and that journey is different for every agency.

Agencies that realize that zero trust is a major overhaul in the way government looks at security will be in the best position, and they will know that outside help is necessary.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

Once in a Career for Agencies, a Daily Experience for Partners

An agency might take on a project of this scale once every 20 or 30 years; industry partners focus on these issues every day across an array of customers. As a result, they know what questions will come up and how to answer them, and they know how to avoid the most common pitfalls.

Because they specialize in zero-trust transitions — and leave the responsibility of keeping the rest of the infrastructure running to the agency — it’s worth an agency’s time to ask for help. Massive organizational change requires integration with industry to provide the services needed; massive organizational change on a deadline requires even tighter integration.

Federal civilian agencies, with a deadline of Sept. 30, should be in their final stages by now. Defense agencies have until 2027.

CISA’s guidelines do include a zero-trust maturity model against which agencies can assess themselves. Many of the model’s pillars are already part of federal cybersecurity practices — for instance, many federal networks are already segmented and their traffic encrypted — and merely need to be rearranged to fit the new requirements. But some pillars may require more outside assistance than others.

DIVE DEEPER: Strengthen your agency’s cybersecurity and zero-trust practices.

Upgrading Identity Practices May Require the Most Assistance

The one posing the most challenges so far is the identity pillar. Identity, credential and access management and privileged access management were always required for federal agencies, but they were not emphasized in a traditional network security model the way that they are in a zero-trust model.

ICAM adjustments have an immediate and visible impact on the end-user experience; they change how a user enters the system. Think of it this way: Traditional security puts a bouncer at the door to check ID, and once you’re in the building, you’re in. With zero trust, there is no door, and the building has no walls. IDs must constantly be checked to make sure people are only where they’re supposed to be once in the building.

It’s a big shift, and figuring out who should have access to what information in the first place is a complex task. In addition, a new identity verification system will have to integrate with all of the agency’s technology; an agency-built system that may not integrate easily with commercial technology also creates roadblocks.

If an agency establishes ICAM right, the verification happens mostly behind the scenes. Some upfront aspects (multiple logins, for example) are still visible to the user, however, and any time you add extra steps to the user experience, you may get pushback.

Zero Trust Is an Ongoing Project

In the end, even if an agency achieves full compliance with the CISA model, there’s no such thing as 100 percent security. There’s always something to do. Again, zero trust is neither a goal nor a box to check; it’s a cultural change. It’s a new way of viewing and approaching security, and every decision must be filtered through it.

That’s not easy to implement. Third-party specialists can sit down with an agency IT team, look at the environment and hand over a to-do list prioritized by how much the tasks cost, how critical the tasks are to operations and more.

Bringing in an outside observer who works on security and zero trust every day provides long-term benefits. It’s so much easier to have someone available to spot and solve problems before they emerge than to try to fix things after they break.

This article is part of FedTech’s CapITal blog series.