New Federal Cybersecurity Requirements: How Agencies Should Implement a Zero Trust Architecture


With this year’s release of a major strategy policy on cybersecurity, the White House is sending a clear message to agencies: We must move toward the implementation of a zero trust architecture (ZTA) government-wide – and swiftly.

The draft version of the Federal Zero Trust Strategy supports the Executive Order on Improving the Nation’s Cybersecurity by clarifying ZTA priorities, identifying needed outcomes and setting baseline policies/technical requirements for agencies.

As defined by the Zero Trust Reference Architecture published by the Department of Defense (DoD) earlier this year, agencies with an effective ZTA enforce rules and controls so “no actor, system, network or service operating outside or within the security perimeter is trusted. Instead, (agencies) must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks and data, from verify once at the perimeter to continual verification of each user, device, application and transaction.”

Fortunately, this transition is well underway: Four of five federal IT decision-makers and other government tech leaders and executives say they are including or defining zero trust within their cybersecurity strategy. But only 55 percent are “very” confident in their agency’s ability to deliver on a zero trust framework.

To hopefully boost this confidence, the White House strategy directs agencies to achieve five goals by the end of Fiscal Year 2024. All five are closely aligned to five pillars of the Zero Trust Maturity Model published by the Cybersecurity and Infrastructure Security Agency (CISA) in June. Here are the goals, along with our recommended best practices as to how to implement them:

1) The establishment of a single sign-on service (SSO) for users that is integrated into applications and common platforms, along with multi-factor authentication (MFA) at the application level with enterprise SSO whenever feasible.

Best practices for implementation: The government has widely adopted MFA, such as the DoD’s Common Access Card (CAC) and Personal Identity Verification (PIV), but not all systems can accommodate these controls,. It is essential to have a variety of authentication techniques that can be applied across the wide range of applications in government. This suggests that agencies must prioritize systems according to mission-criticality, sensitivity and likelihood of breach, and seek to prioritize MFA for systems deemed most critical and then work down from there.

In addition, agencies cannot overlook privileged access management (PAM) as part of this. While PAM isn’t addressed in depth in the strategy, 74 percent of IT decision-makers whose organizations have been breached indicate that the incident was linked to the accessing of a privileged account. Therefore, agencies need to establish effective, proven PAM controls.

2) The completion of an inventory of every device operated and authorized for government use, with the capability to detect and respond to incidents on these devices.

Best practices for implementation: Security teams should make sure that every device is covered, including Internet of Things (IoT), operational technology (OT) and cyber physical system (CPS) devices. A comprehensive ZTA plan will incorporate all of these into a monitoring, detection and protection program.

To increase effectiveness of threat hunting with government-wide endpoint detection and response, the data collected on endpoints need to be correlated, enriched, analyzed, and acted upon in a timely manner. Security orchestration, automation and analytics are essential to accomplish these goals.

3) The encryption of all DNS requests and HTTP traffic, and the segmentation of networks around their applications.

Best practices for implementation: Continued use of shared services such as CISA’s Protective DNS allows agencies to focus their efforts on other – and more challenging – aspects of zero trust strategy, particularly application segmentation. The strategy indicates that agencies must run every distinct application in its own separate network environment. “Multiple applications may rely on specific shared services for security or other purposes,” it states, “but should not rely on being co-located within a network with those services and should be prepared to create secure connections between them across untrusted networks.”

Using software-defined networks and security to create these micro-perimeters provides the speed, flexibility, and scalability needed to create these zero trust network segments. Segmentation can be enforced using various techniques applied at the network, application, user, or data layer. Therefore, is it essential to first understand the use cases and requirements prior to implementation.

4) The treatment of all applications as internet-connected while routinely subjecting these tools to rigorous testing and external vulnerability reports.

Best practices for implementation: This represents a major shift for the government – the acceptance and even embracement of a perimeter-less architecture in which all applications (including Federal Information Security Modernization Act-regulated ones) are connected to the internet. While the strategy states that agencies must “create minimum viable monitoring infrastructure and policy enforcement to safely allow internet access,” it doesn’t offer many specifics on how to accomplish this. Security teams will have to determine what level of monitoring and controls (firewalls, packet capture, network detection response, etc.) will effectively enforce the security standards required for these applications. Recent breaches stemming from SolarWinds and Microsoft Exchange highlight the need to improve software supply chain and application security capabilities, particularly with performing continuous analysis and continuous monitoring.

5) The deployment of protections that make use of thorough data categorization and access monitoring, and the implementation of enterprise-wide logging and information-sharing.

Best practices for implementation: This goal describes the automation of security monitoring and enforcement – or security orchestration, automation and response (SOAR) – as a “practical necessity.” But agencies will do themselves a disservice if they deploy SOAR solely to address the data goals. They must deploy SOAR throughout their entire IT environment as part of their ZTA program, and ensure that SOAR plays a lead role in achieving the five goals summarized here. In the process, agencies will benefit from a wealth of actionable intelligence to enrich their cybersecurity posture throughout the enterprise.

It is very encouraging to see the administration call for a comprehensive strategy. Security leaders and their teams are increasingly recognizing that zero trust brings a vigilant level of oversight and controls which modern times require. However, agencies should carefully consider what is needed in terms of resources and execution to sufficiently satisfy each goal – and even surpass what is “on paper” in the strategy to include SOAR, PAM and additional measures – to best protect themselves for now and the indefinite future.

About Miguel Sian
Miguel Sian is vice president of technology at Merlin Cyber.