Federal agencies are adopting key cybersecurity practices like zero trust and software supply chain risk management. Sarah Cleveland, senior strategy advisor at...
Zero trust architectures are moving from concept to reality in the federal government.
The White House Office of Management and Budget has set a deadline of Sept. 30, 2024, for most federal civilian agencies to adopt some level of zero trust architecture.
Meanwhile, the military services and Defense Department agencies are finalizing their zero trust plans this fall. DoD’s goal is to adopt an across-the-board “baseline” level of zero trust by 2027.
“Zero trust is an absolute next stop for security,” said Sarah Cleveland, a retired Air Force colonel and senior strategy advisor for public sector at ExtraHop.
“You need to know who’s accessing your network, why they’re accessing your network and the hygiene of your data access and security,” she continued.
The pandemic-induced shift to a hybrid workforce also raised the stakes for federal agencies to adopt strong cybersecurity practices. The Cybersecurity and Infrastructure Security Agency’s zero trust maturity model lays out the pillars and cross-cutting capabilities of a strong zero trust architecture.
“Knowing how people access their data back at the office, zero trust will also open the way for VPN replacements,” Cleveland said. “But it’s really something that we absolutely have to go to in this current cybersecurity environment with people who mean to do us harm. And the network is a highway that everybody operates on. We all have a responsibility to secure who’s on it and what they’re doing.”
While the federal government has a mandate to move toward zero trust, no such directive exists for the private sector. But Cleveland said companies should be paying close attention to where agencies are moving when it comes to their network security practices.
“The reason why the commercial industry needs to take note is if they expect to do business with the federal government, or any sort of federal entity, they need to be practicing those same cybersecurity practices, which will include a zero trust implementation,” she said. “You’re only as good as your weakest link. Doing business with an entity that doesn’t implement zero trust architecture can indeed put your operation at risk.”
Federal agencies are also adopting new software supply chain security requirements outlined in President Joe Biden’s May 2021 cybersecurity executive order. Cleveland said software supply chains are complex. Whether a software vulnerability will turn into a damaging cyber exploit is often unknown until the attack actually happens.
“Until that compromise happens, you may not know what the trickledown effect is because of the complexity of your network, and the complexity of what software touches what,” she said.
“Software that can’t be patched or software that doesn’t get patched is a problem in that supply chain,” Cleveland continued. “Poor access controls or third party vulnerabilities that have been inserted into the actual code that you may not have any awareness over. It’s been packaged just like it would normally be packaged when you put it on your network. And there’s a vulnerability in it. And then there’s the unknown exploits, the things you cannot plan for. And there is always going to be that risk.”
She said it’s critical that government and commercial industry continue to work closely together to address new vulnerabilities and challenges as they emerge.
“We can work together to solve these problems so they don’t become something that threatens our finances, healthcare, schools or food supplies as a society,” Cleveland said.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Senior Strategic Advisor, Public Sector, ExtraHop
Reporter, Federal News Network
Senior Strategic Advisor, Public Sector, ExtraHop
Reporter, Federal News Network
Justin Doubleday is a defense and cybersecurity reporter for Federal News Network. He previously covered the Pentagon for Inside Defense, where he reported on emerging technologies, cyber and supply chain security. Justin is a 2013 graduate of the University of New Hampshire, where he received his B.A. in English/Journalism.