Agencies prep for next phase of ‘zero trust’ cyber upgrades

An upcoming deadline will provide a pulse check on the government-wide push toward "zero trust" cybersecurity defenses.

Agencies are due in the coming weeks to submit updated “zero trust” implementation plans to the White House, marking a key checkpoint in efforts to modernize government cyber defenses.

The implementation plans are due to the Office of Management and Budget and the Office of the National Cyber Director by Nov. 7. That deadline was set out in a summertime memo on the Biden administration’s cybersecurity priorities for the fiscal 2026 budget.

The memo states agency plans should particularly focus on the status of initiatives to upgrade cyber defenses for so-called “high value assets” and “high impact systems.”

The plans will provide federal cyber leaders with a key update on the January 2022 zero trust strategy, which lays out a multi-pronged effort to shift away from perimeter-based cyber defenses toward a “never trust, always verify” approach. The strategy focuses on five technology pillars: identity; devices; networks; applications and workloads; and data.

Brandy Sanchez, zero trust initiative lead at the Cybersecurity and Infrastructure Security Agency, said the forthcoming implementation plans will help inject some “accountability” into progress on the strategy.

“Not to grade agencies. The goal is not to put somebody in a box and to beat them with a stick,” Sanchez said at an ATARC event earlier this month. “The goal is to really take those measures and say, ‘Hey, we need to get from point A to point B in this time frame. And here’s the impact and the importance of those steps, and this is how we’re going to do it.’”

During the Billington Cyber Summit in September, federal Chief Information Officer Clare Martorana noted the 24 large Chief Financial Officers (CFO) Act agencies “are all in the high 90 percent range” when it comes to meeting the initial goals of the zero trust strategy.

“Across the entire ecosystem … metrics are telling us that we have moved from 81 percent to 87 percent completion rate for agencies on that journey,” she said.

The 2024 “Report on the Cybersecurity Posture of the United States,” released by the Office of the National Cyber Director in May, provides some further detail on zero trust-related progress at CFO Act agencies.

The report highlights how multiple CFO-Act agencies increased their encrypted data by at least 10%. And 92% of federal endpoints are covered by at least one endpoint detection and response (EDR) solution.

Meanwhile, the “vast majority” of agencies made progress on deploying phishing-resistant multifactor authentication, according to the report.

Progress on identity, but data a challenge

The adoption of phishing-resistant MFA and other “identity” management systems has been an early emphasis for many agencies. The zero trust strategy puts a premium on identity controls to defend against phishing and other common cyber attacks.

Strong identity management is also a key step toward the zero trust strategy’s concept of verifying “everything and anything attempting to establish access” within a network.

“The momentum around the identity pillar has been transformative, with agencies now able to leverage identity-based providers at scale,” Sean Connelly, a former senior CISA official and currently the zero trust executive director at Zscaler, said in an interview. “This shift has fundamentally changed how agencies operate and secure their environments.”

However, many agency officials point toward the “data” pillar of the strategy as a key long term challenge. The goal is to “deploy protections that make use of thorough data categorization,” per the strategy, but agencies face the challenge of organizing loosely structured and dispersed data throughout their enterprises.

Connelly pointed out that many agencies continue to rely on legacy data centers and mainframes.

“One of the core challenges is dealing with legacy data – how do we apply modern security frameworks and technologies to these entrenched systems and data sets that may be decades old? It’s a persistent issue that will require ongoing effort and strategic innovation,” Connelly said.

Federal cyber leaders have also emphasized that no single vendor or product can provide a holistic zero trust architecture.

And as agencies move into the next phase of zero trust, federal cyber leaders calling on the technology industry to ensure their cybersecurity products can be integrated into large architectures.

“We need to put the onus back on these technology providers to make sure that they’re playing nice in the sandbox with each other,” Sanchez said.

“A lot of progress on identity, devices and networks, but a lot of that has been because there’s been off-the-shelf solutions to those problems,” she added. “Those areas that we’re kind of lagging behind – data, cross-cutting capabilities, applications, workloads — those are the areas that don’t have so many solutions in place, and those that are there don’t really work nicely with the other tools that we already have in place.”

Zero trust red teams

Beyond metrics like MFA adoption, experts say there is also a need for civilian agencies to start testing whether their zero trust architectures are effective in thwarting hackers. The Defense Department has already organized multiple cyber “red teams” to test out DoD’s zero trust use cases.

“There’s considerable opportunity in the civilian sector for more rigorous red teaming of zero trust architectures,” Connelly said. “Testing these systems under real-world conditions will provide critical insights. . . . If a red team is embedded in an agency’s network for a week and they find it difficult to pivot or reach critical systems — such as identity providers or sensitive data — that’s a strong indicator of the agency’s zero trust maturity.”

As part of the implementation plans due early next month, Sanchez said she’ll be looking for details on how agencies are testing their zero trust architectures.

“Are you throwing pen testers at it? How are you making sure that you’re actually covered down whenever you say you’re covered down?” Sanchez said. “The real metric here is that if we’re doing the right things, we’re putting the right measures into place, that we’re going to start seeing a reduction of those cybersecurity events and the severity across the federal enterprise.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Graphic By: Derace LauderdaleCybersecurity

    Rethinking continuous risk metrics to fortify federal cybersecurity

    Read more