First, it was the attack on SolarWinds, then the Colonial Pipeline, and most recently, Log4j. Unfortunately, these successful and very public cyber exploits weren’t the first, and they certainly won’t be the last.
Federal leaders are no longer surprised when attackers identify the next crack in the dam. That doesn’t mean they can sit complacently by and wait.
The onset of COVID-19 and the shift to hybrid work expedited the need for government agencies to reevaluate how best to utilize their limited resources to plug the unfilled holes. The need to fast-track remote access has led to the recent adoption, emphasis on, and implementation of Zero Trust innovations.
White House Executive Order 14028 on May 12, 2021, made ZT architecture central to the federal security landscape, required agencies to develop new standards that could better prevent cyber incidents, and mandated the transformation of government systems into more secure digital infrastructures.
Since then, the Office of Management and Budget released its federal strategy in January, and the Cybersecurity and Infrastructure Security Agency issued its latest ZT guidance for agencies this March.
While guidance abounds, there are many steps required to implement federal efforts to identify, detect, deter, prevent and respond to these ever-evolving threats. Agency leaders are working to adopt the mindset of trust nothing and verify everything to prioritize the transformation of legacy systems.
The General Service Administration is supporting the implementation phase with plans to issue ZT playbooks this year. These roadmaps will help operationalize the ZT strategies required by the EO and recently submitted by each federal agency.
So, what should these playbooks contain? First, they should define the key tenets of ZT. Second, playbooks need actionable and proven guidelines that go beyond top-line EO-driven agency strategies to guide adoption in six key steps.
Define Key Tenets of ZT
For starters, ZT is not a destination but rather an ongoing journey. It optimizes and improves security by increasing levels of automation, refining access to data and making sound decisions based on policies and risk. It includes six key tenets that leaders must fully understand to drive implementation. These key tenets include:
Identities: people, services and internet-of-things components
Devices: monitoring and enforcing device health and compliance
Apps and Services: ensuring appropriate permissions and secure configurations
Data: giving the necessary attributes and encryption to safeguard out in the open
Infrastructure: hardening against attacks on-premises or in the cloud
Networks: establishing controls to segment, monitor, analyze and encrypt end-to-end traffic
Implementing Trust Resilience
Agencies can benefit from proven strategies poised to tackle EO ZT requirements in actionable bites and implement a “trust resilience framework” in six key steps.
- Establish a ZT Accelerator. Assess current plans to understand the operating environment of basic ZT tenets and create a strategic roadmap.
- Build a Risk Management Framework (RMF). RMF as a service coupled with continuous authorization to operate (ATO) can be pre-packaged to meet the National Institute of Standards and Technology (NIST) framework.
- Ensure Continuous ATO. Give the highest level of assurance for existing systems to pass annual audits.
- Secure Cloud Infrastructure. Ensure the technology stack is designed on ZT principles.
- Secure Access Service Edge (SASE). Ensures authorized users have access anytime anywhere
- Enterprise IT Support: Provide as-a-service delivery of the previous four items (2-5)
The transition to, and implementation of, ZT across the federal government will be challenging, but is of the utmost importance. Transformation will require experienced people who know how to interpret the technologies implemented and understand that every arm of government operates at a different pace.
Enhanced collaboration with private industry will go a long way in supporting the federal government throughout the adoption process and into the future. Best practices stand ready to support agencies as they build the tailored, specialized and playbook-aligned approaches necessary to meet the nation’s cyber threats.
Shawn Kingsberry is Vice President, Cybersecurity at SAIC
Have an opinion?
This article is an Op-Ed and as such, the opinions expressed are those of the authors. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET Senior Managing Editor Cary O’Reilly.
Want more perspectives like this sent straight to you? Subscribe to get our Commentary & Opinion newsletter once a week.