cial said of the executive order. “I’m pretty excited about how now, holis- tically as an agency, we’re pushing those things forward.”
The executive order is explicit in its requirement that agencies develop plans for adopting zero trust security principles, but one participant said the unspoken goals are even more ambi- tious. “There is a plan behind this, which may or may not be clear in the words of the EO, that we want to use zero trust as the sounding call to push us into the right direction, where we all acknowledge that we just can’t trust the integrity of our networks now,” that official said. “And we have to do something fast and move with alacrity to start addressing that. And it will be imperfect, that’s true, but I do think we’re organizing around the right principles at this point.”
There is some hype around zero trust, several participants noted, par-
ticularly when it comes to vendors trying to hitch their products and ser- vices to the topic. But they did not see the concept going away.
“I hear a lot about, is this a buzz word? And three or four years from now, is it going to be a different sort of paradigm?” one official said. “I don’t think so. I’ve asked others if they think so and I haven’t heard any- body who’s explained to me how it would be a different paradigm in three or four years. So, I think it’s the right thing for us to be driving towards — I don’t think it’s going anywhere for a while.”
Finally, a funding source?
Re-engineering an agency around zero trust architecture is an expen- sive undertaking, and one that is not likely to produce clear cost savings the way some modernization efforts can. “The big problem becomes the
money,” as one participant put it. The executive order’s reporting requirements, however, could ulti- mately help agencies build a business case, one official noted. Self-assess- ments are being used by the Office of Management and Budget to inform a “strategy-slash-implementation plan, trying to describe where agencies need to be on a first order of capa-
bility,” that participant said.
“If you look at a capability matu-
rity model for zero trust, and you can describe the future plan, we want to put agencies on a roadmap for three- to five-year investment plans to get to that first capability level,” the official said. “We’re working at guidance to help make it clear what that is and how to do that. And I think what we’re also going to work to address is to try to answer a very elusive question of, What is sufficiency in the cyber budget?”
August 2021 FCW.COM 93