As the days ticked down to the Sept. 30 deadline on reaching baseline maturity for zero trust, the Office of the Federal CIO reported that 24 of the government’s largest agencies were nearing the high 90% range in their journeys.

When federal agencies began their zero trust journey over three years ago, the biggest challenges were figuring out “what zero trust means to me in my organization,” developing an execution plan and securing initial funding. Now, agencies are starting to see the results of their early efforts.

While the implementation of zero trust is picking up steam, the longest stretch of the journey is still ahead of them.

“When zero trust first came out three years ago, there wasn’t money that came with it. And with the Program Objective Memorandum cycle, you’re now looking at two years down the road, so we’re just now seeing the results of that first year’s worth of effort,” said Bill Lemons, director of systems engineering for Fortinet Federal, during Federal News Network’s Cyber Leaders Exchange 2024.

The nitty-gritty work of maintaining zero trust

Plus, noted Chris Usserman, chief technologist at Infoblox Public Sector, as agencies have been working to define what zero trust means to them over the last two years, some have equated their existing cybersecurity strategies with zero trust.

“Some agencies have taken the perspective of, ‘We already do this. It’s defense in depth, or it is the aspect of what zero trust ultimately is, which is protecting the data,’” Usserman said.

But both approaches raise many questions, he said, and shared a few:

• What is an agency’s definition of data?
• What’s intellectual property from an agency perspective?
• What is the requirement for data at rest versus data in motion?
• How should an agency look at data movement — should that be from more of a north-south perspective?
• What about data used by Internet of Things devices within an environment?
• How does an agency handle evaluations and checks and balances of technologies throughout the enterprise?
• How does an organization define defense and depth?

As to that last question on defense in depth, “that definition varies from person to person. It could be vendor variety. Putting in two different vendor firewalls is one definition of defense in depth, depending upon your historical experience,” Usserman said.

“One of the analogies for a lot of this relative to zero trust and identifying the limiters is: We don’t post the firemen outside the door waiting to smell smoke. Within our offices, we have fire detection and prevention systems to protect resources, people and all of the facilities,” he said. “But we don’t take the same approach to our networks. That’s something we should do. That aspect of being able to control and contain access to information down to the source of where that information is of critical importance, and organizations are still trying to figure that out.”

A lot of this work is still ahead for organizations.

As government agencies are progressing in their journeys, Lemons advised they prioritize their “precious nuggets” of data — those that are most vital to operations — and align security measures based on the value and sensitivity of the data.

“It’s very important — especially if you want to be conscious of budget and only spend the money where you absolutely need to spend that amount of money — to truly understand those nuggets of data, the applications and how efficient they need to be versus how protected they need to be with regards to the criticality of that data that is available through those applications and ensuring that whatever plans are put forward from a technology perspective to support those truly align to what those needs are,” Lemons said.

Visibility of assets in a hybrid environment

As agencies are embracing cloud — Deltek, for example, found agencies will spend more than $8 billion on cloud services in fiscal 2025 — maintaining visibility over assets becomes extremely complex.

Lemons said when it comes to hybrid environments, with data and applications moving between private and public cloud services and on premise, agencies need to be methodical in their asset monitoring and management.

“You need to understand what are the controls that you need to have in place. What’s the level of visibility that needs to be in place in order to make sure that that happens?” he said. “As long as there is that ordered and well-constructed plan, you can assess the environment and determine who can fulfill — or what platforms can fulfill — those needs. Can they do it in a consolidated fashion? Can you minimize the number of tools to simplify the management plane itself and how the controls are implemented across those various hybrid environments?”

Usserman added that a common issue within organizations is a lack of interdepartmental communication, which leads to gaps in asset visibility.

“We see this in the private sector as well, which is some aspects of a company may be going in one direction and another aspect may be going in another direction. For instance, if the marketing team opens up a URL or domain for a future event but hasn’t necessarily told the IT team — we now have this new domain that’s out there, then they don’t know that it needs to be washed or protected. Government is the same way,” he said.

Plus, in hybrid environments with workers often not in the office or working while on travel, visibility can be lost to the rest of the organization, Usserman said. Today, multicloud environments with users on the move require a broader team approach, he said.

“There are some aspects where security is now driving with network teams, with infrastructure teams,” Usserman said, recommending that agencies will need “the ability to have a teaming approach going forward with a lot of these things.”

Discover more articles and videos now on Federal News Network’s Cyber Leaders Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.