3 Mission-Critical Changes Shaping Zero Trust in the Federal Government

Zero Trust is not a new topic of conversation for the Federal Government. However, while in the past Zero Trust was treated as a “nice to have,” it is now officially a “must have.”

And while plenty of reasons have been given over the years as to why the Federal Government should adopt Zero Trust, there are three fundamental shifts that have turned it into the clear requirement it is today.

The Sudden Transition from In-Person to Hybrid Workforces

Previously, reporting to work in-person was the status quo for the Federal Government. But due to the COVID-19 pandemic, the government’s workforce transitioned to a hybrid model practically overnight. To accommodate this shift, the government put solutions and practices into place so that employees could continue their mission-critical work. But given the suddenness with which this occurred—and the expectation that eventually, in-person work would become the norm again—these solutions and practices were’t necessarily selected with long-term identity security in mind.

Now, it’s clear that the hybrid workforce is here to stay. This means government organizations need to address gaps in their identity solutions and practices to properly support those workforces long-term. Primarily, this means ensuring all employees—no matter where they’re located—can access the resources they need to do their jobs without compromising both their own security and the security of the organization. 

This requires an access and security approach that determines risk and access decisions based on more than simply whether the employee or resource resides within the corporate network perimeter, which is a defining characteristic of Zero Trust. It’s not enough to simply ask “Where is the user coming from?” You need to ask—and be able to confirm—“Who is this user?”

The Public Impact of the Ever-Evolving, Sophisticated Threat Landscape

While it’s no secret that governments are a tempting target for cyberattackers, their impact on the U.S. Federal Government tends to be a bit more nebulous to the general public. That changed with the revelation of the SolarWinds attack, which was the first in a series of high-profile attacks impacting the government and critical infrastructure. Not much later, the Colonial Pipeline attack occurred. In both cases, internal account and password vulnerabilities were revealed that opened the organizations up to risk.

The widespread, public impact of these attacks made it clear that cybersecurity must be recognized as an issue of national security, making it a priority for the Federal Government to elevate their security practices and not inherently trust any user on their network—another core tenant of Zero Trust.

The Increase in Federal Mandates Around Cybersecurity

At the time of the SolarWinds and Colonial Pipeline attacks, documentation around best practices for implementing Zero Trust in the Federal Government did exist, notably NIST Special Publication 800-207 (“Zero Trust Architecture”) and the Department of Defense’s “Zero Trust Reference Architecture.” However, while information on facilitating the move to Zero Trust was available, government-wide policies did not exist to require agencies to make that move.

That changed with Executive Order 14028 (“Improving the Nation’s Cybersecurity”), which President Biden issued following the attacks noted above. This Executive Order (EO) mandates all relevant agencies to begin developing plans to implement Zero Trust as outlined in the EO and future supporting guidance.

While the EO primarily impacted Federal Civilian Executive Branch (FCEB) agencies upon initial publication, its reach spread to the Department of Defense (DoD) and Intelligence Community (IC) with the release of National Security Memorandum 08 (“Improving the Nation’s Cybersecurity”). The National Security Memorandum (NSM) mandates that the DoD and IC also comply with the EO and its future supporting guidance. 

Shortly after, the Office of Management and Budget issued the supporting guidance for Zero Trust implementations: Memorandum 22-09 (M-22-09). The memo details specific requirements and deadlines federal agencies must meet with their Zero Trust implementations. Of note, these include using phishing-resistant MFA during the authentication process, dynamic attributes during the authorization process and a centralized identity management system that can easily integrate with other technologies.

Take the Next Step in Your Zero Trust Journey

Zero Trust is no longer an option for the Federal Government. And as Zero Trust is inherently an identity-centric security framework, adopting this approach requires enhancing the identity foundation supporting it. Now is the time to re-examine Federal IT environments’ existing identity capabilities and identify specific opportunities for improvement that will lay the groundwork for a successful Zero Trust implementation.”

 Learn how to lay the foundation for Zero Trust—without ripping and replacing your infrastructure.