When it comes to cybersecurity across the federal government, one thing is clear: migrating to a Zero Trust security architecture is a top priority. Last year’s Cyber Executive Order (EO) called on agencies to build Zero Trust into their security strategies, and this year’s Office of Management and Budget (OMB) finalized Zero Trust mandate laid out specific requirements and timelines for federal agencies to expedite and enhance their cyber resolve.
While new research from Forrester highlights that IT leaders across large enterprises are aware of the importance of Zero Trust in combating cyberattacks, many struggle with determining where to start. Despite the priority, just 36 percent of those enterprises have started to deploy Zero Trust solutions – and only 6 percent of organizations note that their plans to implement Zero Trust are complete.
So, where should federal agencies begin their Zero Trust journey and how can they work to prioritize meeting these critical security directives? Creating a Zero Trust taskforce with a director or lead is a key place to start. In fact, the OMB Zero Trust mandate required agencies to appoint a Zero Trust lead within 30 days, so at the end of February 2022.
The Blueprint for a Zero Trust Taskforce
A Zero Trust taskforce is all about focus, ensuring C-level buy-in and, most importantly, allocating budget for implementation plans. To drive success, participants can look at what’s working for other agencies, and identify available resources – templates, guides, pilot or pathfinder initiatives, reference architectures, etc. – to avoid starting from scratch.
As a starting point, a Zero Trust taskforce should include an agency’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO). Once identified, the agency’s Zero Trust implementation lead should direct activities and serve as the agency’s executive sponsor for Zero Trust. Including the Chief Technology Officer (CTO), the Deputy CIO, and representation from the wider Office of the CIO can be a strategic move in establishing buy-in for the taskforce as well.
The team’s goal is to identify initial steps that are actionable and feasible based on the agency’s mission, workloads, and current infrastructure, and then enable the agency to take those steps. All too often when faced with a boil-the-ocean approach, agency leaders fall back to entropy, struggling to implement critical change. Even limited Zero Trust progress today will have a positive impact on the agency’s security posture over time.
Prioritizing the Pillars
A Zero Trust taskforce will also help prioritize the right tasks and ensure your agency is tackling the most critical concerns first. Zero Trust is a philosophy, not a product. It’s composed of five pillars: identity, device, network/environment, application and workload, and data. Although bolstering security around every pillar is essential to achieve a comprehensive Zero Trust architecture, if every pillar is an immediate priority, then nothing becomes the priority.
Too often, agencies focus first on upgrading their network, focusing on user access or making sure all their devices that connect to the network are approved devices. While necessary precautions, none of those steps will stop the lateral movement of a cyberattack once attackers inevitably breach agency systems – and how agencies plan on stopping the lateral movement of cyberattacks is one of the specific mandates that OMB calls out in their memo. In fact, it’s at the top of the priority list.
One of the first steps that federal agencies can take to accelerate Zero Trust initiatives and achieve Zero Trust protocol, as outlined by the OMB, is to invest in micro-segmentation. Micro-segmentation falls under the application and workload pillar of Zero Trust and is responsible for stopping the lateral movement of cyberattacks post-breach. It’s a technique that breaks data centers and cloud environments down to the individual workload level, through micro-segmenting or ring-fencing them, stopping malware or cyberattacks at the source. This is sometimes referred to as preventing East/West movement and always includes creating a real-time visibility map first. You have to be able to see what you ultimately want to micro-segment.
Leaders can prevent attackers from moving across networks by applying least-privilege access controls, which effectively limit the impact of a cyberattack and make it even more challenging or unlikely for attackers to gain access to critical agency data.
Zero Trust Taskforce for Accelerating Implementation
With a Zero Trust taskforce and key lead in place, key stakeholders (including CIOs and CISOs) can come together to achieve Zero Trust at scale – in accordance with the Biden administration’s EO, and the specific requirements in the OMB’s federal Zero Trust mandate.
Ultimately, the goal is to strengthen cyber defenses and bolster cyber resilience across the federal government. Taking initial steps to implement Zero Trust strategies while prioritizing micro-segmentation today will help keep federal agencies, data, systems, missions, and ultimately citizen services secure. Zero Trust is a proven and trusted way to achieve national resilience at scale – and the time for agencies to lean into bolstering cyber resilience with Zero Trust is now.
