FCWPerspectives
Zero trust, practically speaking
Can agencies build the necessary cybersecurity architecture without slipping into a compliance mindset?
Nearly five months after President Joe Biden issued his Executive Order on Improving the Nation’s Cybersecurity, the federal government’s push for zero trust security is in high gear.
The Office of Management and Budget released a Federal Zero Trust Strategy for comment
in early September; the Cybersecurity and Infrastructure Security Agency has published both a Zero Trust Maturity Model and a Cloud Security Technical Reference Architecture; and deadlines for all agencies to adopt multifactor authentication and encryption for data at rest and in transit are looming in November.
FCW recently gathered a group of federal IT leaders to explore what those developments mean in practice and to discuss where agencies are focusing their near-term efforts, how existing security programs can adapt and when new investments may be needed. The discussion was on the record but not for individual attribution (see page 42 for the list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
All about the architecture
The roundtable participants generally praised the executive order and the subsequent focus on security, but some were concerned that the push for measurable progress could create yet another compliance exercise.
“You’re asking us to do these four very specific stovepiped areas that we’ve been supposed to be doing all along, which are great foundational things,” one official said. “However, it’s losing the spirit of zero trust, which is an architecture. It’s an integration effort. And we’re going to misinterpret because you can’t go in with the assumption that everybody understands what zero trust is. Even if they’ve read [the National Institute of Standards and Technology’s Special Publication] 800-207 and things like that, there’s still an education” that needs to happen.
Another executive agreed that the emphasis must be on the architecture. “You’re looking at how things are going to interact with each other — systems, humans, processes — and how you’re going to optimize that to the benefit of a larger ecosystem as opposed to one individual system or one indi- vidual organization.”
“There’s some serious innovative thinking that has been done in other sectors, but being so strict in how you approach a problem that you can’t even see the other solutions is not a good strategy as we try to execute the EO to its fullest,” that official added. “If we were to architecturally lay out how these systems are interacting, understand the risk at each point of those interactions and then look at the funding profiles across the enterprise, that gives you a heat map of where you should be considering a different type of funding model in order to get the type of resources necessary to mitigate the risk.”
Many government leaders struggle to understand architec- ture in the security context so the necessary governance may not be in place yet. “We can’t do these things in stovepipes, so
40 September/October 2021
FCW.COM