President Biden’s Executive Order 14028 to improve the nation’s cybersecurity and protect federal government networks, was released more than half a year ago. At the time, one of the most exciting aspects about it was the multiple uses of the term “zero trust,” as Netskope discussed in a blog at the time. However, it’s clear that federal agencies are still working out the specifics of how to actually approach implementing zero trust.
In a recent NextGov article, Mark Mitchell, Principal at PJ Cook LLC, laid out some of the specific challenges to zero trust adoption and implementation that federal agencies should anticipate, all based on his personal experience and hard-earned lessons in the field.
Some of the key challenges he lays out include the vulnerabilities that come from using legacy technology, the issues with tooling, and how quickly requirements can become irrelevant. So much of the technology the government has been relying on for years simply wasn’t built with a zero trust approach in mind, and that the shift to a robust mature zero trust architecture won’t just require a technological shift, but a shift in mindset as well.
If government agencies are still thinking about their security as a “traditional perimeter” in a world that has transcended the perimeter, that means implementing a zero trust approach quickly is beyond unrealistic. Implementing a mature zero trust approach, especially for large government organizations is going to take time.
Putting the time into properly implementing a zero trust architecture also means being able to evaluate a given agency’s overall compliance with zero trust principles – and that requires being context-aware. As Mitchell points out, a zero trust solution needs to be both “cloud-smart” and “data-centric” to enable agencies with all of the necessary information to think quickly and make educated security decisions. In a similar vein, a recent white paper about zero trust and secure access service edge (SASE) points out that “context should be continuously evaluated” and “alterations to the context can result in an increase or decrease) in the level of trust,” ultimately altering the type of access to a given resource.
Regardless of how long it takes to implement, Mitchell is emphatic about one thing: Participation is not optional. The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) have already started to draft guidance documents to help move federal agencies toward zero trust. While there isn’t going to be a one-size-fits-all solution, movement in this direction shows that the federal government is on its way to a zero trust-enabled future.
If you’d like to read more from Mark Mitchell on his recommendations for this government zero trust adoption, you can read his article here. And if you’d like to learn more about how Netskope is driving cloud-smart and data-centric zero trust network access, please connect with me on LinkedIn to continue the conversation and check out the Blueprint for Zero Trust in a SASE Architecture white paper.