What’s next for agencies in their zero trust journey
A year after President Biden outlined the federal zero trust architecture strategy along with the requirements for meeting specific cybersecurity standards and...
A year after President Biden outlined the federal zero trust architecture strategy along with the requirements for meeting specific cybersecurity standards and objectives by fiscal year 2024, agencies are in a crucial stage of development. With initial planning behind them and only about 18 months until the deadline, it’s time to act and implement those plans.
There are several steps agencies can take to help facilitate this second stage of the zero trust strategy implementation process, including integrating systems across networks, investing resources across different aspects of the network to ensure a well-rounded security posture and engaging with the respective agency’s zero trust office.
Make zero trust about modernization, not just security
Now that most agencies have cleared some of the early hurdles of developing their zero trust strategy, it’s time to shift focus. With the planning, education and inventorying done, the crucial next steps will still involve both the human and technology elements, but with more of an eye toward implementation.
At a recent Fortinet Federal Security Transformation Summit, I spoke with two federal cybersecurity leaders about their individual journeys at the Defense Department and the Health and Human Services Department Office of Inspector General. They both highlighted that this second phase will be about taking action based on the plans developed in phase one while also taking into account the dynamic, evolving nature of users and their needs.
On the workforce side, it’s important for users to understand that this is about modernization where they can realize better performance and benefits, not just about better security. That’s a cultural mindset that needs to be reinforced through the zero trust process and should be built into the messaging.
Agency IT teams should also begin the process of understanding personas so they can get the data to the right people at the right time. Mapping out the proper flow of information and who should have access to certain data will be foundational in this second phase because it helps cybersecurity staff build in requirements early in the process rather than grafting them on piecemeal.
Prioritize inventorying, policies and risk tolerance
The next decision will be choosing which pillars of the ZT strategy to attack first. While every organization is in a different place with different needs, there are a few pillars where all agencies can make progress.
Because the technology is out there and just about every federal employee is using a device of some kind, starting off with the user, data and device pillars makes the most sense. A good start would be getting an accurate inventory of both users and devices. This list will make it easier to not only set permissions for active users, but also to discover former employees to make sure they — and their devices — have had access privileges turned off.
On the non-technical side, it’s important for agencies to think through their risk tolerances. IT and security teams should be working together to identify what the minimum threshold is for letting a user have access to parts of the network. And because access is dynamic, there needs to be continuous monitoring in case factors change that would make the threshold go up or down.
While this is a big technology lift, agencies cannot forget about the governance, policies, methodology and thresholds that go along with the software.
The federal government’s march to zero trust is both important and a huge challenge. With every agency taking on the journey in their own unique ways, it can be tough to find a model to lean on. But with this second phase pushing on, the actions outlined above can serve as useful advice no matter the mission.
Felipe Fernandez is the chief technology officer for Fortinet Federal.
What’s next for agencies in their zero trust journey
A year after President Biden outlined the federal zero trust architecture strategy along with the requirements for meeting specific cybersecurity standards and...
A year after President Biden outlined the federal zero trust architecture strategy along with the requirements for meeting specific cybersecurity standards and objectives by fiscal year 2024, agencies are in a crucial stage of development. With initial planning behind them and only about 18 months until the deadline, it’s time to act and implement those plans.
There are several steps agencies can take to help facilitate this second stage of the zero trust strategy implementation process, including integrating systems across networks, investing resources across different aspects of the network to ensure a well-rounded security posture and engaging with the respective agency’s zero trust office.
Make zero trust about modernization, not just security
Now that most agencies have cleared some of the early hurdles of developing their zero trust strategy, it’s time to shift focus. With the planning, education and inventorying done, the crucial next steps will still involve both the human and technology elements, but with more of an eye toward implementation.
At a recent Fortinet Federal Security Transformation Summit, I spoke with two federal cybersecurity leaders about their individual journeys at the Defense Department and the Health and Human Services Department Office of Inspector General. They both highlighted that this second phase will be about taking action based on the plans developed in phase one while also taking into account the dynamic, evolving nature of users and their needs.
Get tips and tactics to make informed IT and professional services buys across government in our Small Business Guide.
On the workforce side, it’s important for users to understand that this is about modernization where they can realize better performance and benefits, not just about better security. That’s a cultural mindset that needs to be reinforced through the zero trust process and should be built into the messaging.
Agency IT teams should also begin the process of understanding personas so they can get the data to the right people at the right time. Mapping out the proper flow of information and who should have access to certain data will be foundational in this second phase because it helps cybersecurity staff build in requirements early in the process rather than grafting them on piecemeal.
Prioritize inventorying, policies and risk tolerance
The next decision will be choosing which pillars of the ZT strategy to attack first. While every organization is in a different place with different needs, there are a few pillars where all agencies can make progress.
Because the technology is out there and just about every federal employee is using a device of some kind, starting off with the user, data and device pillars makes the most sense. A good start would be getting an accurate inventory of both users and devices. This list will make it easier to not only set permissions for active users, but also to discover former employees to make sure they — and their devices — have had access privileges turned off.
On the non-technical side, it’s important for agencies to think through their risk tolerances. IT and security teams should be working together to identify what the minimum threshold is for letting a user have access to parts of the network. And because access is dynamic, there needs to be continuous monitoring in case factors change that would make the threshold go up or down.
While this is a big technology lift, agencies cannot forget about the governance, policies, methodology and thresholds that go along with the software.
The federal government’s march to zero trust is both important and a huge challenge. With every agency taking on the journey in their own unique ways, it can be tough to find a model to lean on. But with this second phase pushing on, the actions outlined above can serve as useful advice no matter the mission.
Felipe Fernandez is the chief technology officer for Fortinet Federal.
Read more: Commentary
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Accelerating zero trust though introduction of compliance data science
Why agencies must move beyond Pillar 1 of zero trust
All things Zero Trust