Over the last few years, the federal government has begun to embrace a zero trust approach as the new cybersecurity standard for agencies. Utilizing the latest solutions and best practices, the hope is to bolster federal cybersecurity and create a robust and resilient IT infrastructure that can protect and secure networks from attacks and breaches.

This process has been ongoing, but regardless of mandates, guidance, or suggestion, some agencies still hesitate to fully embrace the new standard. To help better explain how federal zero trust is being implemented, and what still is to be done to create it, GovCyberHub spoke with Microsoft Federal Security CTO Steve Faehl to learn more.

GovCyberHub Editors: The Biden Administration's cyber executive order (EO) was released almost a year ago, can you give us a broad update on what’s happened since? What did the EO call for agencies to do? What new approaches to security did it encourage agencies to embrace?

Steve Faehl: The initial EO that came out, 14028, specifically had instructions for both individual agencies and the entire government. Some of the biggest questions were “What are my accountabilities?” and “What do I have to do over the next year?” I highly recommend starting by going to our webpage about federal zero trust and the EOs, as it compiles the answers there in far greater detail than I can share here.

However, the answer to all these questions is multilayered. At the very top level, the White House put out guidance to modernize federal agencies. That included creating a plan for federal zero trust and outlining implementation timelines for security best practices such as encryption and multi-factor authentication. 

What is still in flux, however, is the software supply chain that the EOs reference as the primary mechanism for procurement activities. We are still seeing guidance appear on that as well and as the industry and agencies learn more, we can adapt. 

There are multiple ways to embrace a federal zero trust approach and modernize cybersecurity within an agency. Remove barriers between cybersecurity teams, bolster threat intel sharing, and integrate more secure solutions - Microsoft has been helping the federal government do all of those.

We also have supported the new Cyber Safety Review Board which has been an excellent platform for collaboration and partnerships across the industry and between agencies, as well as working to flesh out the software supply chain to the best of our ability.

Implicitly called out in the EO is that the federal government must lead by example. Ideally, as they deal with and respond to attacks used against them, they can create a model for the industry to use as well. The quantity of attacks they face means they can share a lot of good information with us about incident response and help us create new solutions.

GovCyberHub: Have we seen significant amounts of agencies embracing the recommendations put forth? Has the EO had an impact, positive or negative?

Steve Faehl: I believe that it has positively impacted agencies. In conversations with many agencies, I think one of the most notable areas where we’ve seen improvement and traction is around federal zero trust.

Before the EO, zero trust appeared to be more of a vendor priority than an agency priority. And that has changed significantly as agencies are pushing vendors to create more clarity, to supply better guidance around federal zero trust, and to help them integrate it into their IT environment. All this tells me they are serious about implementing it.

A big part of that comes from the aggressive deadlines that the EO set. Agencies need to show progress towards achieving the goal and are coming together to ask, “How do we make this happen?” The EOs have certainly lit the fire beneath many agencies and helped to foment a view of security transformation as an imperative.

We also see a lot of movement around Endpoint Detection and Response (EDR) which comes from being a part of the EO requirements. That is an area where we see operationalization as the focus as many agencies are past the point of deploying tools and are now looking to use their tools more effectively as they investigate and respond to their environments.

Finally, another area we see significant progress in is the deployment of phishing-resistant Multi-Factor Authentication (MFA) tools. As part of the M2209, we saw phishing resilience become a major focus and as a result, we are seeing more awareness of what phishing looks like, as well as further protection against the attacks themselves.

GovCyberHub: What can, and should, agencies be doing to meet the recommendations and requirements laid out in the EO - including the directive to embrace federal zero trust?

Steve Faehl: So, zero trust is an approach, it’s a fundamental framework and mentality that needs to permeate everything that an agency does. 

We just referenced phishing attacks, so let's start with that. From our perspective, there are multiple ways to address them, which we break down into three levels of phishing resistance. Ultimately, it’s all about having an aware workforce and having the solutions in place to make identifying suspicious activity easy. Both of which we have built into Azure and is becoming an industry standard.

Next, let’s discuss identity management, Microsoft has solutions in Azure for it and we also have device registration with Intune. Both are present in our solutions because we see the potential to prevent many intrusions using this technology. There is also a non-security application for finding management, as these solutions can keep track of the health of devices and help to keep tabs on inventory

All these solutions, and others, constitute federal zero trust.

GovCyberHub: Let’s say that an agency has heard all this and wants to deploy solutions, where do they start?

Steve Faehl: Start by finding and monitoring the highest risk items, data, and services with the least end-user impact possible. I’d recommend starting with administrative functions first, and then moving on to the full network. From there just incrementally introduce and implement broad cybersecurity policies like the ones I just shared. 

After that, the next hurdle is measuring progress with CISA, OMB, and NIST as you move towards a federal zero trust approach. M2209 does a great job of laying out how agencies can avoid boiling the ocean. “Follow that guidance, address this milestone, etc.” that will inform the glide path for the rest of the federal zero trust transformation.

GovCyberHub: What - if anything - is keeping agencies from embracing zero trust today? What are the hurdles or roadblocks?

Steve Faehl: The biggest one is probably the existence of silos, both in the customer environment as well as within the industry. If every team is doing their own thing, then you will not end up with three compatible federal zero trust approaches. You need to have a comprehensive plan in place so that as silos come down, they are replaced by a holistic cybersecurity paradigm based on zero trust principles that every team can embrace.

Over at Microsoft, we experienced this when we centralized around a specific zero trust approach. That had a profound and powerful effect on our ability to bring the whole company together. It's something that we want to help federal agencies emulate moving forward, and some of our partners are already seeing benefits from the model we have created.

The second major hurdle is using ambiguity as a reason not to do something. Let’s call this apprehension roadmap risk. For anyone out there who is hesitant about zero trust because of roadmap risk, please reach out to us, we’ve put together a comprehensive overview of how our solutions can form part of a zero trust approach for your agency.

GovCyberHub: You mentioned that there are ways for companies like Microsoft to help federal agencies create a roadmap to zero trust. Can you expand on that a bit?

Steve Faehl:  A priority for us on the industry side is to do a better job with integration guidance. We are currently working with NIST on the SP 1800 series document on federal zero trust deployment and it's been very beneficial. NIST brought together 24 vendors to build and prove how to implement particular zero trust strategies using vendor components. 

All this collaboration has taken place in laboratory settings, allowing us to put our solutions to the test and see how effective the federal zero trust approach would be against conditions that agencies are facing today or will face in the future. This collaboration won’t end there. I’ll speak for Microsoft, but I think the entire industry is leaning into this type of interaction.

We appreciate the leadership that the government is providing, and especially the fact that they are forming the connective tissue for us all to work around. This sort of program forms the backbone for a comprehensive betterment of government cybersecurity and is just one example of how the industry is trying to help implement federal zero trust.

GovCyberHub: What else has come out from this collaboration mindset?

Steve Faehl: A big one is that we are all working to create solutions that are specific to federal zero trust. Government IT and federal agencies will always be a major target for more specialized cyberattacks. While the principles of federal zero trust are universal, their manifestations are not. 

We’ve been working to understand how the specific needs of government IT differ from commercial, and we’ve focused on only showing our agency partners resources designed for their specific scenarios. 

That includes something as simple as just meeting the requirements of M2209 or going as far as fully embracing the outlines from M2131, event logging, identity management, etc. Whatever it is, Microsoft and the rest of the industry are here to help your agency transform.

GovCyberHub: Since the EO, we've seen additional cybersecurity-focused mandates and guidance released in response to the threat from Russia and recent large cyberattacks. How are things like the Cyber Incident Reporting requirement in the recent Omnibus spending bill, and the recent SP 800-172A guidance from NIST going to affect federal agencies and the vendors they work with?

Steve Faehl: The impact will mainly be to bolster the importance of things like incident reporting and raise the bar when it comes to critical infrastructure. 

Something that we talk about with cybersecurity is that your adversaries get a vote. When it comes down to what is the priority of the defender, you must understand and plan for what the adversary is putting their time and energy into getting when they attack. 

As such, we see critical infrastructure being a major focus area for adversary activity. Given the far-reaching nature of attacks, this has increased the need for incident reporting as the whole country, even the whole world can now be disrupted by a well-placed attack.

That’s what’s really at the heart of the recent EOs: insight. The speed by which insights are shared is essential and explains why we see such a heavy emphasis on it recently.

GovCyberHub: Any final thoughts to share?

Steve Faehl: If anyone is interested in learning more about how the industry, and Microsoft specifically, can benefit federal zero trust and federal agencies, visit our site and learn more. I think cybersecurity folks in the government may be surprised at just how painless a transition to a federal zero trust environment maybe for them.

Learn more about how to embrace a federal zero trust environment.