IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Where Are Governments in Their Zero-Trust Journey?

While the federal government deadline has arrived on implementing a zero-trust cybersecurity model, many state and local governments have committed to zero-trust architecture as well.

digital lock on a computer chip
Adobe Stock/Media Srock
On Jan. 26, 2022, the Executive Office of the President issued an executive memorandum to the heads of federal government executive departments and agencies, which provided guidance and direction on zero-trust architecture (ZTA) strategy. The memo was entitled Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, and it offered follow-on guidance after the May 2021 Executive Order (EO) 14028, Improving the Nation’s Cybersecurity.

Here's how the 2022 memo begins:

“This memorandum sets forth a federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns. Those campaigns target federal technology infrastructure, threatening public safety and privacy, damaging the American economy, and weakening trust in government.”

A bit further down the page, you find these executive summary points:

“This strategy envisions a federal government where:
  • Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
  • The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
  • Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
  • Enterprise applications are tested internally and externally, and can be made available to staff securely over the Internet.
  • Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
This strategy places significant emphasis on stronger enterprise identity and access controls, including multifactor authentication (MFA).”

ZERO-TRUST STATUS NOW


Fast-forward to September 2024, and "Major federal agencies are close to meeting September zero-trust deadline, federal CIO says," according to NextGov/FCW: “A tranche of major federal agencies have nearly met a Sept. 30 deadline requiring them to build out and adopt a degree of zero trust architecture on their networks, federal CIO Clare Martorana said Wednesday (Sept 4, 2024)."

Also from that article: “Federal cyberdefenses became a top issue for the Biden administration after the Colonial Pipeline and SolarWinds Orion incidents that occurred in the past couple years. Other headline-making hacks have followed, including last summer when Chinese operatives accessed the email inboxes of U.S. officials, which later became the subject of a major DHS oversight report.”

WHERE ARE STATE GOVERNMENTS ON ZERO TRUST?


And while major progress can be measured for federal government agencies, an article written by Apu Pavithran for govtech.com in March 2024 urged state and local governments to mandate zero trust:

“The success of the federal government’s zero-trust transition highlights the need for state and local mandates. The strict deadline serves as a catalyst, compelling action and fostering a resilient cyber culture. …

“The deadline is prompting action. With a goal in sight, federal agencies have a systematic and organized path toward stronger defenses. In an era where cyber threats advance in sophistication and intensity, this proactive stance is paramount for securing critical systems and data. This is something state and local governments must consider when fortifying for the future.”

And while the lack of mandates makes progress on zero trust difficult to gauge with precise metrics, most states have expressed a desire to implement ZTA. These realities show up all over the country at cyber summits and technology conferences.

For example, a California Department of Technology Letter 23-01 states: “This TL also serves as a notice that all state entities must work toward a Zero Trust Architecture (ZTA) model as outlined in NIST 800-207. Refer to the Cybersecurity [and] Infrastructure Security Agency (CISA) Zero Trust Maturity Model Version 2.0. By May 2024, all state agencies/entities must have assessed, planned, and implemented the “Initial” maturity stage of each of the five pillars including Identity, Devices, Networks, Applications and Workloads, and Data.”

This article outlines how Florida has encouraged the implementation of ZTA through House Bill 7055, also known as the Local Government Cybersecurity Act, that was signed into state law on June 24, 2022:

“Government entities will have to adopt cybersecurity standards to protect its data, network, equipment and other technology resources. These standards must be consistent with generally accepted best practices from the National Institute of Standards and Technology (NIST).

The required adoption dates for these standards depend on the size and type of your entity:
  • The deadline is Jan. 1, 2024 for counties with a population of 75,000 or greater and municipalities with a population of 25,000 or greater.
  • The deadline is Jan. 1, 2025 for counties and municipalities falling under these thresholds."

The article also points out that these NIST standards highlight the need for implementing advanced security measures to prevent ransomware attacks and other intrusions, such as an EDR, XDR or zero-trust methodology.

OTHER ZERO-TRUST RESOURCES


While it would be a big undertaking to go through zero-trust status on a state-by-state basis, here are some resources to help:

Fortinet’s Jim Richberg offers this material.

Netskope ZTA materials can be found here.

General Dynamics ZTA information can be found here. Here's an excerpt from that page:

“While every organization’s zero trust journey will be different, states can focus their resources on five general areas when navigating their path to a zero trust environment.
  • Focus on identity and access management.
  • Divide networks into smaller, more manageable segments with controlled access.
  • Encrypt sensitive data both at rest and in transit.
  • Deploy monitoring tools for real-time threat detection.
  • Update infrastructure and systems to support a zero trust architecture.”

I also like this government ZTA material: NSA’s Final Zero Trust Pillar Report Outlines How to Achieve Faster Threat Response Time.

And here's an excerpt from a recent article entitled How to Prepare for CMMC 2.0: the Newest DOD Cybersecurity Standard: “As part of this process, companies are looking to ensure that they have the technology in place to follow zero-trust philosophies championed by the Pentagon. That includes multifactor authentication, encryption and data loss prevention tools, [Arctic Wolf Field CTO Christopher] Fielder says. CMMC also stresses the ability to limit information to authorized users and managing physical devices such as USB keys.”

Plus, CISA's Zero Trust Maturity Model Version 2.0:
“CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. The maturity model aims to assist agencies in the development of zero trust strategies and implementation plans and to present ways in which various CISA services can support zero trust solutions across agencies.

"The maturity model, which includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides specific examples of traditional, initial, advanced, and optimal zero trust architectures.

"Version 1.0 of the ZTMM opened for public comment in September 2021. The Response to Comments for Zero Trust Maturity Model summarizes the comments and modifications in response to version 1.0 feedback.

"Version 2.0 incorporates alignment to OMB M-22-09, published in January 2022.

"Click here for a downloadable version of the Zero Trust Maturity Model V2.0."

And finally, from Forbes, The Zero-Trust Concept And Use Cases Explained.

FINAL THOUGHTS


One more piece worth reviewing. I like this piece from the Federal News Network describing how "agencies start to focus on zero trust ‘outcomes,’ instead of checklists."

Here’s a great quote from Eric Trexler, senior vice president for U.S. public sector at Palo Alto Networks, on the “modernization of zero trust” within the public sector:

“Automation and artificial intelligence allow us to package up what’s happening on our networks, on our systems, within our workloads, and only elevate the highest order activities to the humans. ... It also frees up our humans, our personnel, to write more playbooks, to automate more, as opposed to just responding to hundreds of thousands of miscellaneous and benign, in many cases, updates and alerts.”
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.