The growing threat of cyber threat actors has underscored a need for Federal agencies to verify and authenticate everybody and everything accessing their network.
In response to this need, cyber officials within the Biden administration began to push for the adoption of a zero trust security model – a model considered too difficult to widely adopt. However, with detailed guidance, Federal agencies have begun to make significant strides toward adopting this security model.
On day one of the Billington Cybersecurity Summit, Chris DeRusha, the Federal chief information security officer at the Office of Management and Budget (OMB), discussed the journey to develop a national zero trust framework, lessons learned, and challenges ahead in implementing this security model.
“We see today that zero trust was always a good idea,” DeRusha said. “At first there was this great concern that zero trust was too broad a term and agencies would not understand what it was they needed to do. So, we defined it.”
By defining the term, OMB, along with feedback from other Federal agencies, built out a framework that could help Federal agencies build out their individual zero trust strategy.
Earlier this year, OMB released a Federal strategy to move the U.S. government toward that zero trust approach to cybersecurity. The strategy detailed a series of specific security goals for agencies and has served as a comprehensive roadmap for shifting the Federal government to this new cybersecurity paradigm.
“Today we see this increasing momentum in the development of zero trust strategies and implementing zero trust strategies. This, to me, is a tremendous success because we went from doubting agencies agreeing to this idea to agencies increasingly adopting this mindset,” DeRusha said.
However, this journey to zero trust has not been without its challenges. Specifically, a people, process, and technology problem, DeRusha explained.
“Something that could slow down the adoption of this security model is a people, process, and technology challenge. Zero trust is a new way of thinking, and this requires a cultural shift in the way Federal employees previously went about gaining access. It also requires a shift in agency processes and technology modernization,” DeRusha said.
In addition, because this adoption of zero trust will also require technology modernization to ensure agencies have the best software to operate in and secure their network, officials managing their agency’s budget must be involved in all steps of the implementation process to ensure the strategy resembles that budget and vice versa.