What Zero Trust Means for Modern Government: Best Practices for Key Tenets

By Patrick Tiquet, VP of Security and Architecture, Keeper Security 

Over the past few years, an important cybersecurity initiative has quickly swept across U.S. federal government agencies. Like few other tech initiatives, zero trust has taken hold at warp speed, thanks to a cooperative push from various cybersecurity authorities and frameworks.

The White House Executive Order 14028, CISA’s Zero Trust Maturity Model, Office of Management and Budget (OMB M-22-09) and the DoD zero trust strategy and roadmap have coalesced to make zero trust a current reality across numerous government agencies within the span of less than two years. That’s extremely fast, relatively speaking. And for good reason: the federal push toward zero trust is critical for the development and deployment of secure and resilient next-generation technologies and infrastructure.

Zero trust is a modern security framework that eliminates implicit trust. It requires all human users and devices to be continuously and explicitly validated, and strictly limits access to network systems and data. Instead of focusing on where users are logging in from, zero trust concentrates on who they are.

The continued unification of disparate cybersecurity efforts governmentwide indicates further progress toward a cohesive approach to cybersecurity as a true economic and national security priority. As with any new initiative, however, there are challenges to adopting new solutions and processes.

To effectively meet the requirements of Executive Order (EO) 14028, Office of Management and Budget (OMB) M-22-09, the Cybersecurity and Infrastructure Agency (CISA) Zero Trust Maturity Model and the Department of Defense (DoD) Zero Trust Strategy and roadmap, all Federal civilian agencies should implement a few key best practices including:

Select FedRAMP Authorized solutions. The Federal Risk and Authorization Management Program (FedRAMP) makes zero trust possible with its secure, authorized solutions. The U.S. government created FedRAMP to achieve a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. The FedRAMP marketplace is a critical resource for agencies to find and compare credible and secure authorized vendors through a trusted public-private partnership. It also ensures that the government is in lockstep with the most advanced cloud-based software and services that are driving the high-stakes capital markets. By working with FedRAMP Authorized solution providers that offer the highest levels of security and privacy, agencies can comply with federal government zero trust cybersecurity directives.

Adopt Multi-Factor Authentication (MFA). Using phishing-resistant MFA wherever available is a key directive. Agencies should add support for Two-Factor Authentication (2FA) methods such as SMS, TOTP-based authenticator apps like Google or Microsoft Authenticator, RSA SecurID, DUO Security; and FIDO2 WebAuthn devices like YubiKey.

Deploy capabilities for secure file sharing. In support of the OMB’s requirement for enterprise-wide information sharing, secure file sharing is important to enable efficient, secure, vault-to-vault sharing of stored files.

FIPS-140 Validated Encryption. FedRAMP and other federal directives mandate the use of FIPS-140 validated encryption. Ensuring the use of FIPS-140 validated encryption in your information systems will help you to achieve the best security, interoperability and compliance required by government agencies.

 The Future of Cybersecurity in Government 

The OMB Binding Operational Directive (BOD) M-22-09 has authoritative guidance on “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” including clarification on CISA directives for BOD 23-01. Achieving zero trust is a responsibility for every organization doing business with the U.S. government. All high-level activities conducted by federal agencies and all networked assets require it. And all benefit from the advanced protections that a zero-trust security model ensures.  FedRAMP makes available the tools and technologies to take the critical step in achieving modern effective compliance with EO 14028 and CISA, DoD and OMB zero-trust directives. Organizations are empowered to participate in these shared governance models that foster a collective approach to zero-trust cybersecurity.