What is Zero Trust? Federal Agencies Embrace Cybersecurity Innovation
From buzzword to White House imperative, zero trust can be a confusing but necessary concept for security strategies.
Zero trust is a popular buzzword in cybersecurity and federal IT, but still it is fraught with confusion. Sometimes itโs misunderstood as a tangible product or a tool, but rather zero trust is a philosophy and approach to cybersecurity rooted in the idea that no users or devices can be trusted and all must be constantly verified in order to gain access to a network or IT system.
What is zero trust?
Stephen Marsh, an associate professor at the University of Ontario Institute of Technology, conceived the term โzero trustโ in a paper on securing IT systems in 1994. The term gained popularity in 2018 when the National Institute of Standards and Technology (NIST) released a special publication titled โZero Trust Architecture,โ which outlines the basic principles of a zero trust approach to cybersecurity that the IT community understands today.
โZero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources,โ according to the NIST publication. โZero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).โ
Microsoft describes zero trust as a new security model that โeffectively adapts to the complexity of the modern environment,โ which includes cloud-hosted platforms and networks and mobile users.
โAt its core, [zero trust is] taking a lot of principles that have been around for a long time and implementing them well, for a change,โ said former U.S. Customs and Border Protection CISO Alma Cole at the RSA Conference in April. โYouโre talking about taking that security principle of least privilege access, rolling that out, and actually implementing that in a comprehensive way across your environment and users.โ
The Department of Homeland Security, especially the Cybersecurity and Infrastructure Security Agency (CISA), aggressively pushes zero trust adoption at federal agencies to better secure federal networks. NIST and CISA lead the federal IT community in zero trust education, research, and support.
What does zero trust mean for contractors?
President Joe Bidenโs cybersecurity executive order requires federal agencies to come up with a plan to shift to the zero trust model of cybersecurity within 60 days of the order, which was July 11. The executive order charges the head of each federal agency with implementing a zero trust architecture at their agency and providing a report on their progress to Acting Director of OMB Shalanda Young and Assistant to the President for National Security Affairs Jake Sullivan by July 11.
Many IT vendors working with the federal government have already adopted a zero trust approach to cybersecurity, but now zero trust is an imperative. Federal contractors will need to ensure theyโre developing IT solutions consistent and compatible with a zero trust approach to cybersecurity.
What is the industry perspective on zero trust?
In many ways, industry has led the way in zero trust implementation. Top IT and cyber vendors like Microsoft, CrowdStrike, IBM, Forcepoint and Palo Alto Networks provide their own zero trust explainers for clients curious about their zero trust approach.
According to a 2020 Cybersecurity Insiders Zero Trust Progress Report, 72% of IT organizations plan to assess or implement zero trust practices in 2020, although 47% are โnot confidentโ in applying a zero trust security model to their business processes, compared to 53% who are confident.
Which federal agencies have deployed zero trust architecture?
Most federal agencies have already deployed or are now in the process of deploying a zero trust approach to cybersecurity. See below for additional details on some federal agenciesโ zero trust plans.
Department of Homeland Security:
- New DHS CIO Tackles Supply Chain Risk Management, Interoperability
- Supply Chain Risk, Data Interoperability are Major Goals at DHS
- SolarWinds Opened the Door for Cybersecurity Culture Overhaul at DHS
- How DHS is Securing Data in the Telework Era
Department of Health and Human Services:
- Agencies Combat Ransomware in Digital Health
- How HHS, GSA Tackled Data Security During COVID-19
- Here Are Federal Health ITโs Top Investment Areas
Defense Department:
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
CISA's CVE Program and Why it Matters for Zero Trust
The vulnerability program provides the cybersecurity community visibility into software as part of a key pillar of CISA's zero trust model.
5m read -
Agencies Use AI to Boost Efficiency, Cybersecurity Under White House Mandates
DLA and GAO are investigating how AI can boost efficiency and bolster cybersecurity as agencies align with the president's tech directives.
3m read -
DOD Cyber Strategy to Adapt to New Budgets, Tech Innovation
Budgetary pressures spur innovation as department tackles aging infrastructure and evolving threats, says top cyber official.
4m read -
Accelerating Modernization to Boost Pentagonโs Efficiency
Sean OโLone, former senior assistant to the Department of Navy CIO and current CTO of SAICโs Navy Business Group, unpacks the future of defense IT modernization.
9m watch
