It’s Time for the U.S. Federal Government to Move (FAST) on Cloud Security and Zero Trust

Executive Order 14028 on Improving the Nation’s Cybersecurity was released in May with nine sections outlining specific focus areas for security improvements. As we noted at the time, Netskope applauded the EO for how it placed significant emphasis on zero trust security adoption, mentioning it no fewer than 11 times, and insisting on proactive action. 

Six months after the order’s release, however—and despite several guidance documents from the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA)—federal agencies are in many ways still grappling with how to best incorporate zero trust concepts into their overall security strategy.

While zero trust guidance provides a common roadmap, each agency faces the challenge of charting an effective course for adoption and layering zero trust onto its existing security strategy without disruption to mission sustainment. The first move can be the hardest, especially with funding uncertain, which is why many agencies are pushing for changes to procurement and implementation. Continuous Authority to Operate (ATO), sometimes known as rapid ATO, is one model gaining popularity; it would reduce the number of controls from hundreds to a few dozen, and shorten overall time-to-value in the process by shrinking its duration.

Despite slow progress, federal agencies that gathered at an October meeting of the Foundation for American Science and Technology (FAST) agreed that the top drivers for cloud adoption are mission requirements and the need for the government to thoroughly modernize—not just play catch up, or save money. IT modernization has been an ongoing effort across government for at least a decade, but in many cases, modernization doesn’t mean getting ahead so much as reaching a minimum threshold. 

Government systems and networks weren’t architected for the cloud. Those that haven’t yet been modernized were built to support an on-premise environment, both in terms of IT operations and security. At the FAST meeting, federal agency participants acknowledged the need to retire legacy tech and also said they are looking for integrated solutions that augment what they already have while complementing other new investments. The solution won’t be “more tech”; vendors that can make this easy—help them with their progression to cloud and embrace of a Secure Access Service Edge (SASE) architecture, regardless of their maturity level—will be the trusted partners of the agencies. 

FAST is scheduled to reconvene on January 13, 2022, to continue the conversation and come up with a list of next steps for zero trust adoption. While we wait to chart progress, you can read more of my detailed thoughts on cloud security and zero trust acceleration in this recent MeriTalk article. I also invite you to connect with me on LinkedIn and get your copy of Netskope’s Reference Architecture for Zero Trust.