The Keys to Implementing Zero Trust are People, Process, Tech

Agencies must holistically invest in a strategic model, like the “people, process, technology” framework when implementing asset management and zero-trust architecture to successfully defend against cyberthreats and enhance overall resilience, government leaders said during a FedInsider webinar.

“I always use the framework because change adoption and user acceptance are very important when cybersecurity fields are implementing a change,” said Bureau of Engraving and Printing (BEP) Acting Deputy Director and Chief Administrative Officer Harry Singh. “We’re in the process of implementing zero trust excellence, so as we deploy tools, it’s always going to be user-centric planning with feedback mechanisms.”

Singh said it’s imperative to educate users, instruct the impact of the change, gather feedback and embrace emerging challenges as opportunities instead of setbacks. He added that creating a situational awareness program will always result in positive output.

As agencies integrate cyber asset management practices, federal government partnerships with the private sector can be instrumental in establishing security standards for software development.

“It’s quite a challenge, but whether it’d be with public or private corporations, we must look at how we can all buy into the same policies and concepts to reduce risks,” said Government Accountability Officer CISO Mark Canter. “It’s a group effort and it goes into the ‘see something, say something’ slogan. As we move forward, everyone must understand risks, not just for their specific responsibilities, but for the larger risk of the organization.”

“When establishing security standards for software development, maybe we can have a software-secure label, just like we have an FDA-approved drug label,” Singh added.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the five pillars of zero trust architectures are identity, device, application workload and data. Singh emphasized that neglecting any one of these pillars may likely result in an incomplete model.

The core of BEP’s approach to maintain visibility across their network and improve threat detection and response is leveraging the three W’s of zero trust: who’s accessing the network, what actions are they performing, and where on the network can they be found, Singh said.

“Our primary strategies focus on the management of identity and data, but answering all of these questions in real time is crucial and represents your agency’s current stage,” Singh said. “I’ve learned in this zero-trust journey that it’s very important to choose tools that integrate well with our existing architecture.”