Zero Trust: Pillars, a Memo and the All-important Deadlines to Come

Zero Trust is a concept gaining significant attention across the federal landscape. The idea isn’t new, and yet the notion of "never trust, always verify" is appearing more and more in memos, solicitations and other federal government announcements. For example, the Office of Management and Budget (OMB) released memo M-22-09, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," in late January 2022. It describes in detail the five pillars of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Architecture (ZTA) and announces a 60-day deadline for all agencies to submit an implementation plan for FY22-FY24. While we await that deadline of late March 2022 and the associated plans, let’s break down both the definition of each pillar encompassed in CISA’s Zero Trust strategy, as well as priorities and insights necessary to be well positioned in the federal market. After all, what good is all the talk around Zero Trust without an actionable and approachable plan for the end-user?

CISA’s 5 ZTA Pillars

OMB provides the following definitions and goals for each of the five pillars of Zero Trust:

  1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant multi-factor authentication (MFA) protects those personnel from sophisticated online attacks.
  2. Devices: The federal government has a complete inventory of every device it operates and authorizes for government use, and can prevent, detect and respond to incidents on those devices.
  3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
  4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
  5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data and have implemented enterprise-wide logging and information sharing.


Priorities for Industry

Definitions are a good start, but agencies must create concrete plans to protect the resources within each pillar. Let’s examine how to penetrate the market, pillar by pillar.

Identity
Within the identity framework, companies will want to provide MFA applications and platforms. MFA technologies include hard tokens, soft tokens and biometrics. Single Sign On (SSO), identity federation and privileged account management (PAM) should also be on the radar.

Devices
Tracking thousands of devices across multiple agencies is a monumental challenge. Fundamentally, the focus in this pillar is to create a reliable inventory. According to the OMB memo, it aims to help agencies achieve the foundational awareness of their own assets across their enterprise. Companies will want to focus their efforts on Mobile Device Management (MDM), as well as Mobile Application Management (MAM) and Network Access Control (NAC).

Networks
In the networks section of the OMB January 2022 memo, the government notes, “More generally, agencies should plan for cryptographic agility in their network architectures, in anticipation of continuing to adopt newer versions of TLS and other baseline encryption protocols.”

Those in industry may best position themselves by approaching the networks pillar focused on delivering the following technologies:

  • Software-defined networking (SDN)
  • Software-defined perimeter (SDP)
  • Isolation technologies
  • Traditional firewalls
  • Gateways and IDS/IPS|SIEM and logging solutions
  • Behavior analysis
  • Cloud access security broker (CASB)
  • Domain name system security extensions (DNSSEC)
  • Transport layer security/secure sockets layer (TLS/SSL)

Applications and Workloads
OMB's vision for this pillar focuses on, “…treating all applications as internet-connected, routinely subjecting their applications to rigorous empirical testing, and welcoming external vulnerability reports.” Internet accessibility combined with safe access is the primary name of the game here. Agencies will likely be looking for secure access control, consistency across platforms, as well as continuous integration/continuous deployment (CI/CD) and Infrastructure as Code (IaC). Companies providing DevSecOps, container security, and code scanning will be best positioned to penetrate this area.

Data
Here, the government aims to use cloud security services to discover, classify, tag and protect sensitive data across enterprise-wide systems. The sticking point for many agencies within this pillar is not only protecting identified datasets, but as noted in OMB’s memo, “…grappling with more loosely structured and dispersed data systems (such as email and document collaboration) and intermediate datasets that exist principally to support the maintenance of other primary datasets.”

Industry may be best poised to aid in the challenges presented in the long run by incorporating portion marking, encryption in place, data loss prevention, file integrity monitoring, data discovery, key management systems (KMS) and data backup systems.

On the Immediate Horizon: 30-60-90 Days Out

OMB's memo notes distinct deadlines for progress:

Within 30 days of the published date, agencies must identify an implementation lead, followed by 60 days to submit an implementation plan. Within 90 days, the memo states the Federal Chief Data Officer (CDO) Council and the Federal Chief Information Security Officer (CISO) Council will create a joint working group on zero trust data security for agencies, with representatives of both councils and led by OMB. This proves to be a tight timeline for results, but given the immediate need for abatement of cyber security vulnerabilities and attacks, it naturally follows that the government is aiming for both speed and accuracy in implementing its zero trust strategy. Whether or not these timelines are flexible remains to be seen. By the end of Q2FY22, however, implantation plans should be set, and that should provide both the federal government, as well as industry, a much clearer path forward with pen to paper for step-by-step processes toward literally securing the future.

To get more DLT Market Insight content, please visit our Market Intelligence microsite.
 

About the Author:
Susanna Patten is a senior analyst on the DLT Market Insights team covering tech domain centric trends across the Public Sector.