Embarking on the Zero Trust Journey: A Guide for Agencies

The present and future state of Federal IT has monumental challenges to address – modernization, data utilization, and automation just to name a few – but none are so critical, or enduring, as cybersecurity. It’s the threat that will never fully go away – and where eternal vigilance, and innovation, are the price of liberty.

Agencies are constantly evaluating how they can improve efforts to secure their networks and mission-critical data. And now the stakes are even higher with the increasing acceptance of emerging technologies that are quickly expanding the threat landscape.

Here’s what the pathway looks like for agencies:

Next Stop, Zero Trust

The first step in any journey is envisioning your destination.

In September of this year, the National Institute of Standards and Technology (NIST) released its Zero Trust Architecture draft, setting the tone for the future of Federal cybersecurity and the journey ahead. With the release by NIST, the Federal government is setting its sights on enterprise wide Zero Trust implementation.

The Zero Trust approach moves away from cyber defenses on the traditional network perimeter that has been dissolved by network complexity. Instead, defenses are focused on safeguarding individual resources. The never-trust, always-verify mentality ensures data is accessed only by those who need it when they need it.

Preparing for Takeoff

Zero Trust is the future of Federal cybersecurity, so agencies are trying to assess their preparedness for implementation.

“All agencies are ready because zero trust is not an end state,” said Will Ash, senior director of security sales at Cisco. “It’s a way of thinking and looking at your environment, a guide to help you make decisions.”

Current cyber policies and mandates such as the Continuous Diagnostics and Mitigation Program (CDM), EINSTEIN, the Risk Management Framework (RMF), and the Federal Identity, Credential, and Access Management (FICAM) policy have already laid the groundwork for the seamless integration of Zero Trust.

For example, the goal of CDM is to understand and manage the who, what, when, where, and why of enterprise networks. The information collected from the CDM program helps determine who gets the granular trust and access to resources established by the Zero Trust Architecture.

The good news is that agencies have the support of Federal IT leaders and decision makers. NIST – responsible for providing technical support and leadership for the nation’s measurements and standards infrastructure – has established the importance of Zero Trust in its draft report. With this guidance, agencies can have a better understanding of how exactly this approach will revolutionize cyber defense efforts.

And agencies are already building Zero Trust requirements into their network architecture plans and contracts.

Don’t Go it Alone

As cyber criminals continue to evolve their approaches and techniques to exploit emerging technologies and other vulnerabilities, agencies must recalculate their next moves to keep pace. Since it’s next to impossible to predict adversaries’ next steps, agencies can find themselves going in circles – never reaching their destination.

Cyber threats come in all shapes and size, however some present bigger danger than others. Some of the biggest threats impacting the Federal government include complexity of defense capabilities, and difficulties in directing attention, expediting certification requirements, and prioritizing budgets.

Mitigating cybersecurity roadblocks – always easier said than done – is truly a team sport. With the shared knowledge of the public and private sector, threats can be more easily confronted and resolved. While the public sector has deep-rooted understanding of threats, the private sector is poised to deliver the technology solutions that can meet those threats quickly and securely.

“With proper security technology, technology leaders can do more,” said Ash. “They can create new programs that they never could have before due to security implications. As advanced capabilities are unrolled, they’re easier to execute.”

When cyber controls are automated and responsibility for them is lifted from the agencies and shared by the best the private sector has to offer, security leaders can focus on creative solutions to other mission-critical work.

Categories

Recent