Federal agencies have made strong progress in meeting zero trust security mandates, government officials say.
While the push to meet zero trust mandates can prompt a check-the-box approach focused primarily on compliance, agencies are recognizing the broader mission benefits that come from a more dynamic approach, according to technology experts. Zero trust can enable agencies to share data across organizations, automatically adjust access based on real-time conditions, and adapt cybersecurity approaches to changing missions and operating environments – from the data center to the edge.
For example, the dynamic, software-driven nature of zero trust enables agencies to address specific, regional, and localized threats without affecting the entire enterprise.
“Agencies are starting to realize, as they’re moving through these compliance-driven activities, that they can go way beyond compliance to really capture the value of a zero trust architecture and all those investments they’re making,” said John Sahlin, vice president of cyber solutions at General Dynamics Information Technology (GDIT).
The capabilities unleashed by zero trust include the ability to verify user and device identities in real time, automatic classification and protection of sensitive data, and threat detection enabled by artificial intelligence (AI).
Zero trust enables strategic use of data
An often-unnoticed benefit is that zero trust’s enhanced data protection allows IT professionals to focus on using data in new ways, which is especially important as data volumes grow exponentially.
For example, zero trust also allows for collaborative security environments that rely on micro-segmentation – a cybersecurity approach that divides a network into smaller, granular security zones – to enable multiple agencies to confidentially share mission-critical data and enable warfighters make split second decisions securely.
“We can write policies on the fly and apply them to data objects, rather than building a whole new infrastructure to support data sharing. That’s worth everything to the mission because it allows the mission to operate at the speed of need,” Sahlin said.
Yet much of the Federal focus remains on compliance, mainly because agencies have been working to comply with a series of zero trust mandates. The most prominent is a 2022 Office of Management and Budget (OMB) memo that required Federal agencies to meet specific zero trust standards and objectives by the end of fiscal year 2024. As of September, former Federal chief information officer, Clare Martorana, said some agencies had achieved a more than 90 percent rating on meeting the OMB standards.
Agencies can go beyond such numerical goals, GDIT’s Sahlin explained, by viewing zero trust as an opportunity to broadly enhance their cybersecurity postures and enable strategic mission outcomes that span from enterprise to edge.
Among the big-picture benefits are simplified network environments, which translate to smaller attack surfaces that are easier to protect.
Zero trust’s dynamic, AI-enabled capabilities enable mission continuity
Another key benefit that zero trust brings to organizations is real-time, attribute-based identity and device management, which allows for continuous monitoring and updating of authenticated users and devices across platforms. This enables IT teams to zero in on very specific details about users and their activities on the network to enforce security controls.
For instance, a network administrator with unrestricted access could open intelligence reports, but doing so would raise a red flag. With risk-adaptive access control enabled by zero trust, their access can be restricted until a verified need for the data is established.
Embracing the benefits of AI is yet another way to move beyond pure compliance in zero trust to enable agency missions, said Rob Sheldon, who is senior director for public policy and strategy at CrowdStrike.
“AI-enabled threat detection can piece together seemingly innocuous data points to identify patterns that humans might not otherwise. Then, humans step in to evaluate the data in light of the mission and quickly implement policy changes,” Sheldon said. “AI, coupled with dynamic policy enforcement, helps agencies ensure mission continuity.”
As agencies progress toward full compliance with zero trust requirements, the powerful capability benefits of zero trust, including verification of user and device identities in real time, automatic classification and protection of sensitive data, and threat detection enabled by AI, will support successful agency missions, from the data center to the edge, the experts said.