Trust issues: Three tips for agencies implementing OMB’s zero trust guidance

The Biden administration has made zero trust a priority for the federal government, going so far as to release an executive order directing agencies to develop cybersecurity plans that include zero trust architecture.

The latest guidance from OMB put the urgency of the issue in stark relief: “In the current threat environment, the federal government can no longer depend on perimeter-based defenses to protect critical systems and data. Meeting this challenge will require a major paradigm shift in how federal agencies approach cybersecurity.”

Agencies have until the end of September 2024 to meet five specific zero trust security goals that focus on identity management, devices, networks, applications and data

But like a lot of cyber challenges, it takes more than just deploying a solution or strategy. From changing the way government thinks about cybersecurity to harnessing tools already at federal IT teams’ disposal, agencies have a lot of work ahead of them.

By addressing the pain points of the process now, agencies won’t be caught flat-footed. In that spirit, below are some tips for agencies to think about before moving ahead with implementing zero trust architecture using OMB’s guidance.

Making a cultural shift

Building zero trust architecture into an agency’s cybersecurity framework isn’t just about deploying the technology and calling it a day. It will take a fundamental shift in the way federal IT teams—and the federal workforce at large—think about cybersecurity.

Zero-trust can be broken down into three big actions: Verify every user, validate every device and provide only as much access as needed. This sounds simple, but it goes against longstanding habits like prioritizing perimeter defense and thinking that those users within the network perimeter could be trusted.

A foundational principal of zero trust is that users on the network should not enjoy any more trust than users who are located outside of the network perimeter or even working off the network.

Utilizing resources at hand

Agencies planning to implement zero trust architecture under the OMB guidance and utilizing CISA’s Maturity Model should not try to reinvent the wheel.

For example, President Biden’s cybersecurity executive order requires agencies to deploy an endpoint detection and response (EDR) initiative to “support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response.”

In this case, federal IT teams should look to the myriad commercial EDR solutions already available as a starting point and then fit those solutions to their unique agency needs. This saves time not only in development, but also deployment and implementation since much of the front-end work has already been done by the vendor.

Finding the right fit

Every agency must tailor its zero-trust strategy to its own specific needs and missions. That means addressing the granular issues as well as the big picture questions.

Looking at it from a broad perspective, an agency with a fully remote workforce will have a different plan than one that never left the office or that is phasing back in-person operations.

A granular analysis would be to look at how the agencies’ employees utilize certain tools. Validating a user and device at the start of each log-in session might be the right way to go for an agency that doesn’t work across a lot of applications.

But in many cases that measure wouldn’t provide an adequate level of security and control for agencies that use a variety of applications and IT resources. For those kinds of agencies, looking at validating access by application within a log-in session is the way to go.

Zero trust is the way forward, but it can’t be done without taking the first proper foundation steps and building up. This will not be easy for federal agencies. The term “zero trust” is often misinterpreted as implying that the workforce is not trustworthy, rather than that trust is an attribute that needs to be revalidated, much as identity is when employees have to display a badge when they enter the physical workplace. Some goals and concepts are harder to explain and are complicated in practice but doing this right from the start will facilitate the successful implementation of a zero trust strategy.

One good first step aspect of zero trust access which can address controlling access to applications is zero trust network access. It basically extends the principles of ZTA to verify users and devices before every application session to ensure that they conform to the organization’s policy to access that application.

There’s a lot more to think about but the tips above will give agencies a jump on implementing zero trust architecture right from the start. That will position the government for successful implementation in a time when failure is not an option.

Jim Richberg is the public sector field chief information security officer at Fortinet.