Following the arrival of executive order (EO) 14028 in May of 2021, zero trust architecture (ZTA) has emerged as a new and better cybersecurity paradigm for protecting IT resources in federal environments. With the Office of Management and Budget (OMB) directing agencies to achieve certain zero trust goals by the end of 2024, it will likely determine the shape of federal cybersecurity for years to come.
But ultimately, the zero trust paradigm is not just for federal agencies: it is also a way for government contractors (GovCons) and private sector organizations to navigate an IT landscape where remote and hybrid work models have rendered perimeter-based cybersecurity ineffective and obsolete.
By 2023, Gartner has predicted that 60% of all enterprises will be using zero trust in some form or fashion. In this article, we'll explain the government's zero trust security push, CISA's zero trust security model, and the benefits of applying its guidance in today's cyber landscape.
The Need for Zero Trust
While last year's executive order - titled 'Improving the Nation's Cybersecurity' - had multiple catalysts, two were particularly significant. First was the SolarWinds Orion attack, which impacted over 18,000 organizations, including federal, state and local governments, critical infrastructure operators and more.
Second was the Colonial Pipeline attack, which brought the largest provider of natural gas in the Eastern U.S to a halt. Ultimately, these two incidents exemplify the most serious cyber risks facing federal organizations today - one originating through a trusted software resource (SolarWinds), and the other originating from a foreign actor targeting utilities in the U.S.
In today's cyber landscape, the line between "insider" and "outsider" matters less than in the past - zero trust is an approach to cybersecurity which recognizes this fact. Rather than trying to prevent outsiders from entering a network's outward-facing perimeter, it continually verifies users at every step along their journey: "never trust, always verify."
CISA's Zero Trust Maturity Model
Following last year's executive order, the Cybersecurity and Infrastructure Security Agency (CISA) issued a draft Zero Trust Maturity Model (ZTMM). The ZTMM includes five "pillars" that form the foundation of a zero trust security strategy:
- Identity - agency staff must use enterprise-managed identities and phishing resistant multi-factor authentication (MFA) to access the applications they use for work.
- Devices - agencies must maintain a complete inventory of every device authorized for government use, with the ability to detect and respond to security incidents on those devices.
- Networks - agencies must encrypt all DNS requests and HTTP traffic within their environment and work to isolate network perimeters.
- Applications and Workloads - agencies must treat all applications as if they were Internet-connected, routinely subjecting them to testing and vulnerability reports.
- Data - agencies must make use of data categorization, and leverage cloud security services to monitor access to sensitive data, aided by enterprise-wide logging and information sharing.
While updates to the ZTMM are expected some time this year, its five pillars of zero trust security are cited in a memorandum by the OMB this January which directs agencies to comply with them by end of fiscal year (FY) 2024.
Benefits of Zero Trust Security for GovCons
To understand the wide-reaching impact of zero trust security, organizations must realize that is not merely a tool or methodology that can be integrated into a previous cybersecurity model: it is an entirely new paradigm that will change IT infrastructure at every level of integration in beneficial ways. For instance,
- Better Inventory - maintaining comprehensive and up-to-date inventories of every device will give businesses more control over their infrastructure, rapid insights, and the ability to respond quickly in the midst of crisis incidents. Aside from cybersecurity, it can also pave the way for better integration and performance optimization.
- Cyber Preparedness - with the average cost of data breaches approaching $10 million in the U.S, cyber intrusion is a risk few businesses can afford. By requiring continual authentication, zero trust architecture provides better protection against cyber threats, no matter where they originate from.
- Better User Experience - although zero trust architecture requires verification as users switch between applications and devices, the experience can be streamlined with the help of single sign-on (SSO) authentication frameworks that integrate multifactor authentication (MFA) in the background.
- Modernization - implementing zero trust security models can accelerate modernization efforts by requiring organizations to break down technology siloes, update equipment and coordinate information sharing. Often modernization can be hindered by lack of a clear benefit - zero trust provides the benefit decision makers need to pull the trigger.
While not yet required of government contractors, adoption of zero trust models will provide insurance against the worst cyber threats facing businesses today, and a forward-facing IT strategy that will insulate organizations against threats originating from remote/hybrid work environments.
Barriers to Adoption
Given the sweeping nature of zero trust architecture, some organizations worry about the cost and effort required to implement it. When polled, experts cited many potential obstacles to ZTA adoption - among them, legacy technology and a lack of IT skills were high on the list.
Ultimately, CISA has acknowledged that its model will take time for agencies to implement, and only half of agencies are actually expected to be compliant when the 2024 deadline rolls out. Accordingly, CISA recommends a tiered approach to zero trust, encompassing “traditional,” “advanced” and “optimal” levels of integration.
It isn't necessary to achieve an optimal zero trust architecture all at once - but any progress is a step in the right direction, and one that federal contractors should continue following in over the next few years.
Beginning Your Zero Trust Journey
For GovCons and private businesses who want to implement zero trust architecture, the best thing to do is await guidance from the National Institute of Standards and Technology (NIST). NIST is gearing up to release zero trust guidance in multiple parts, complete with videos and other training resources.
In the meanwhile, it is worth consulting the Planning for a Zero Trust Architecture: A Guide for Federal Administrators whitepaper, which provides a groundwork for zero trust security based on the pre-existing and widely applied NIST Risk Management Framework (RMF). Organizations should also consult with cybersecurity experts who can help them take the next steps.
At Epoch Concepts, we design, source and integrate solutions to empower our customers. From storage to infrastructure, cybersecurity and cloud solutions, we architect fully customizable IT solutions and offer continual customer support. Above all, we put the security of our customers first and work to create an impenetrable supply chain they can trust. When it comes to emerging cybersecurity legislation and standards, we are here to help you every step of the way. Contact us to learn more.