The President’s Executive Order for Improving the Nation’s Cybersecurity ignited 90-day cyber sprints to strengthen cybersecurity across federal agencies.  As part of the EO, agency leaders by now have developed a plan to implement a Zero Trust Architecture (ZTA) within their agencies, incorporating migration steps laid out by the National Institute of Standards and Technology (NIST). Zero Trust represents a mindset shift in cybersecurity in which every transaction is verified before access is granted to users and devices. In the federal government, Zero Trust is still a relatively nascent approach, with pockets of pilot programs sprinkled across various agencies. The Cybersecurity and Infrastructure Security Agency (CISA) and other agencies are working together to help the entire government shift to Zero Trust. To that end, The Office of Management and Budget (OMB) and CISA have released draft documents for public comment that form a roadmap for agencies to achieve specific zero-trust security goals by the end of fiscal year 2024. Grouped using the five pillars that underpin the zero-trust maturity model released by CISA, the goals focus on identity, device, network, application workload and data. Agencies will automate security across these pillars through continuous validation and real-time machine learning analytics, according to cybersecurity officials. Agencies will also be given one month from publication of the OMB memo to name an implementation lead to engage with and report to OMB. Agencies should re-prioritize funding in FY22 to achieve priority goals, or seek funding from alternative sources, such as agency working capital funds or the Technology Modernization Fund (TMF). 

Momentum is building for the shift to Zero Trust. IT leaders recognize that cybersecurity models are increasingly going to be defined by a zero-trust architecture. No one size fits all. Cybersecurity officials caution that the transition will take time, money, and an intense focus on the elements needed to make Zero Trust a reality. While the EO focuses on short-term objectives, it lays the groundwork for agencies to develop long-term strategies to adopt Zero Trust. The OMB and CISA documents clarify the principles of Zero Trust and offer steps agencies should take to effectively implement this emerging security framework.

Join AFCEA Bethesda for a webinar on October 13 to hear government cybersecurity leaders and experts discuss how agencies can make meaningful progress implementing Zero Trust within the next three years.