Public Sector Leading Zero Trust
The private sector should be paying attention to what the US Government is doing.
Introduction
In the past few years, the US Government has been aggressively pursuing a Zero Trust cybersecurity strategy.
What is Zero Trust? Zero Trust is an identity-based security model that assumes that all users, devices, and applications are potentially malicious and should not be automatically trusted. Zero Trust requires continuous verification of identity and access, as well as monitoring of all traffic and activity for anomalous behavior.
The US Government's pursuit of a Zero Trust strategy is a direct reflection of the changing world in which we live, most recently accelerated by the state-sponsored SolarWinds cyber attack reported in December 2020.
With the explosion of cloud computing, increasing consumption of SaaS services, and remote workforces, the age-old corporate office and data center perimeters are a relic of the past. This has decimated our “walls of safety”, and our previous “trust behind the walls” approach, leaving us exposed to an alarming number of successful cyber attacks, including breaches and ransomware.
The US Government must be a leader in cybersecurity in order to protect critical infrastructure that saves lives and keeps our country operating.
Its aggressive adoption of Zero Trust legitimizes Zero Trust as a stronger security model. They have charted the course that the private sector can learn from. They are pushing Zero Trust forward - and we should all be sitting up in our chairs.
The US Government isn’t the only institution using cloud computing, SaaS, and supporting remote work.
What has the US Government been up to?
This article summarizes the combined activities from US Federal Agencies over the past few years to advance the state of Zero Trust across the United States and, ultimately, across the world.
The Initiative Summary Table section near the end of this article includes links to all the initiatives mentioned.
You won’t be blamed if you’re not aware of all of these orders, memorandums, and strategies, or understand how they all relate, as there has been a flurry of federal activity regarding Zero Trust since early 2021, when a growing number of successful attacks served as a wake-up call to the blind spots of the perimeter-based security model, highlighting that the trust we’ve built into our digital systems has left us exposed and vulnerable more than ever before.
“If an organization as large, as siloed, and as disjointed as the Federal Government can do this, it’s proof positive any organization can.”
Executive Orders and Memorandums
Presented below are the Executive Orders and Memorandums from the US Government that advance Zero Trust, arranged chronologically by their respective publication dates.
What is the difference between Executive Orders and Memorandums? An Executive Order is a directive issued by the President that has the force of law. A Memorandum is a document that provides guidance or instructions to Federal Agencies.
May 2021:
Executive Order on Improving the Nation's Cybersecurity (EO 14028)
This Executive Order, EO 14028, aims to improve the Federal Government's ability to identify, prevent, and respond to cyber threats. It is a significant step forward in the fight against cybercrime, aimed to help make the Federal Government more secure.
The order calls for all Federal Agencies to adopt a Zero Trust security strategy. It created a new Zero Trust Task Force, responsible for coordinating the implementation of the order across the Federal Government, and led by the Office of Management and Budget (OMB).
The order also created the Office of National Cyber Director (ONCD), responsible for advising the President on cybersecurity policy and strategy. The ONCD is also responsible for coordinating the Federal Government's cybersecurity efforts and for developing and implementing a National Cybersecurity Strategy.
January 2022:
Memorandum on Advancing Zero Trust Architecture (M-22-09)
This is OMB's Federal Zero Trust Strategy, outlining the aggressive plan for moving the US Government towards Zero Trust and requiring Federal Agencies to meet specific objectives around Zero Trust leadership, planning, and implementation. Specific requirements called out in the memorandum include:
Within 30 days of publication, designate and identify a Zero Trust strategy implementation lead for their organization, as "OMB will rely on these designated leads for Government-wide coordination"
Within 60 days of publication, agencies must build upon the plans required by EO 14028 by incorporating the requirements of the memorandum into their plans along with a Fiscal Year 2024 estimated budget.
This memorandum requires specific Zero Trust security goals to be in place by the end of Fiscal Year 2024 (September 30, 2024):
Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.
March 2023:
National Cybersecurity Strategy (NCS)
A broad memorandum from the Biden-Harris Administration, this is a comprehensive plan to protect the United States from cyber threats. The NCS identifies Zero Trust as a key strategy for protecting the nation's critical infrastructure and networks.
The NCS calls on both Federal Agencies as well as the private sector to implement Zero Trust solutions through stronger identity and posture management, modernizing technology, and education. Key call outs of this national strategy include:
The NIST-led digital identity research program authorized in the CHIPS and Science act will strengthen digital credentials, incorporate attributes into authentication and authorization, produce new standards, and develop digital identity platforms.
The OMB has a multi-year plan to accelerate technology modernization and remove all legacy systems incapable of implementing a Zero Trust strategy within a decade.
The ONCD will lead the development and implementation of a National Cyber Workforce and Education Strategy, increasing access to cyber education and training to address the widening cybersecurity skills gap.
“The real result of the Presidential Executive Order and the Cybersecurity Strategy has been a change of incentives inside not just the US Federal Government, but around organizations all over the world who now have a mandate to start talking about Zero Trust, exploring Zero Trust, and figuring out how they can use Zero Trust ideas and strategies inside their environments to protect the important data and resources they have.”
Other Federal Agency Initiatives
Several Federal Agencies have developed additional Zero Trust initiatives, which are listed below in chronological order of their respective publication dates.
August 2020:
NIST SP 800-207: Zero Trust Architecture
As a reference model for both private and public sectors, NIST established Zero Trust guidance through NIST SP 800-207, providing an abstract definition of Zero Trust Architecture (ZTA), along with general deployment models and use cases where ZTA could improve an enterprise's overall IT security posture. This guidance is frequently referred to across private industry, and is considered a trusted reference from which to base a Zero Trust Architecture against.
Among many other things, NIST SP 800-207 calls out seven tenets of Zero Trust:
All data sources and computing services are considered resources
All communication is secured regardless of network location - network location alone does not imply trust
Access to individual enterprise resources is granted on a per-session basis - trust in the requester is evaluated before the access is granted
Access to resources is determined by dynamic policy - including the observable state of client identity, application/service, and the requesting asset - and may include other behavioral and environmental attributes
The enterprise monitors and measures the integrity and security posture of all owned and associated assets - no asset is inherently trusted
All resource authentication and authorization are dynamic and strictly enforced before access is allowed, and is continuously reevaluated in ongoing communication
The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture
February 2021:
NSA CSI: Embracing a Zero Trust Security Model
As part of its work, the National Security Agency (NSA) publishes “cybersecurity information sheets” (CSIs) to provide guidance on the latest cybersecurity tactics, techniques, and procedures (TTPs) as well as other cybersecurity topics. This CSI explains the Zero Trust security model and its benefits, as well as challenges for implementation. It discusses the importance of building a detailed strategy, dedicating the necessary resources, maturing the implementation, and fully committing to the Zero Trust model to achieve the desired results.
The document’s recommendations are meant to assist cybersecurity leaders, enterprise network owners, and administrators who are considering embracing a Zero Trust cybersecurity model.
June 2021:
CISA Zero Trust Maturity Model
The Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model represents a gradient of implementation across five distinct pillars, where minor advancements can be made over time toward optimization.
As the lead agency on federal cybersecurity and risk advisory, CISA’s Zero Trust Maturity Model is meant to assist agencies in the development of their Zero Trust strategies and implementation plans, and present ways in which various CISA services can support Zero Trust solutions across agencies.
The five pillars of the maturity model:
Identity
Devices
Networks
Applications and Workloads
Data
The three themes that cut across the pillars:
Visibility and Analytics
Automation and Orchestration
Governance
LATE BREAKING NEWS! At the time of publication of this blog post, version 2.0 of the CISO Zero Trust Maturity Model has just been released. See the link to the original version as well as this latest version in the Initiative Summary Table below.
February 2022:
NSTAC Report to the President: Zero Trust and Identity Management
As one of three key cybersecurity issues from the President’s National Security Telecommunications Advisory Committee (NSTAC) multi-phase study on “Enhancing Internet Resilience in 2021 and Beyond”, this NSTAC report focuses on Zero Trust and Identity Management. It is a massively important Zero Trust publication, providing a cornerstone of guidance to not only the Federal Government, but every organization pursuing a Zero Trust strategy.
The report took advantage of an "opportunity to deeply consider industry expertise in the early stages of the Federal Government’s Zero Trust journey", outlining best practices, deployment models, and recommendations.
The report makes 14 recommendations, but equally important if not more, defines a 5 step process for implementing Zero Trust in a flexible, repeatable, and technology agnostic manner:
Define the Protect Surface
Map the Transaction Flows
Build a Zero Trust Architecture
Create a Zero Trust Policy
Monitor and Maintain the Network
This 5 step process allows for an iterative way to evolve Zero Trust in an incremental fashion, and should be embraced by every organization, public or private, seeking to embark on a Zero Trust journey.
July 2022:
DoD Zero Trust Reference Architecture version 2.0
The Department of Defense (DoD) Zero Trust Reference Architecture version 2 is a comprehensive guide to implementing Zero Trust within the DoD and includes a number of tools and technologies that can be used to implement Zero Trust. This reference architecture is a supplement to the DoD Cybersecurity Reference Architecture that infuses Zero Trust principles.
The scope is to determine capabilities and integrations that can be used to successfully advance the DoD Information Network (DODIN) into an interoperable Zero Trust end state. It calls for Zero Trust to be used to re-prioritize and integrate existing DoD capabilities and resources, while maintaining availability and minimizing delays in authentication mechanisms.
The architecture establishes a framework that provides guidance via 5 tenets, 7 pillars and 7 principles.
The 5 tenets:
Assume a Hostile Environment
Presume Breach
Never Trust, Always Verify
Scrutinize Explicitly
Apply Unified Analytics
The 7 pillars:
User
Device
Network/Environment
Applications and Workload
Data
Visibility and Analytics
Automation and Orchestration
The 7 guiding principles:
Assume no implicit or explicit trusted zone in networks.
Identity-based authentication and authorization are strictly enforced for all connections and access to infrastructure, data, and services.
Machine to machine (M2M) authentication and authorization are strictly enforced for communication between servers and the applications.
Risk profiles, generated in near-real-time from monitoring and assessment of both user and device behaviors, are used in authorizing users and devices to resources.
All sensitive data is encrypted both in transit and at rest.
All events are to be continuously monitored, collected, stored, and analyzed to assess compliance with security policies.
Policy management and distribution is centralized.
August 2022:
NIST SP 1800-35: Implementing a Zero Trust Architecture
In collaboration with many cybersecurity experts and technology vendors, the NIST National Cybersecurity Center of Excellence (NCCoE) created this publication to demonstrate several example Zero Trust Architecture (ZTA) solutions - applied to a conventional, general purpose enterprise IT infrastructure - that are designed and deployed according to the concepts and tenets documented in NIST SP 800-207, Zero Trust Architecture.
The guide is intended for use by organizations of all sizes, and it provides an overview of the key concepts and principles of ZTA. It also includes a number of case studies and examples of how organizations have implemented ZTA.
While this publication is still under draft review, as of the time of this writing the following guides are available:
NIST SP 1800-35A: Executive Summary (2nd Preliminary Draft)
NIST SP 1800-35B: Approach, Architecture, and Security Characteristics (2nd Preliminary Draft)
NIST SP 1800-35C: How-To Guides (2nd Preliminary Draft)
NIST SP 1800-35D: Functional Demonstrations (2nd Preliminary Draft)
NIST SP 1800-35E: Risk and Compliance Management (Preliminary Draft)
November 2022:
DoD Zero Trust Strategy
A landmark publication which outlines the DoD’s plan to implement a Zero Trust security model. The DoD Zero Trust Strategy is a framework for implementing Zero Trust cybersecurity principles in the Department of Defense.
This is one of the first comprehensive strategies for implementing Zero Trust within the DoD. The strategy provides guidance on how to implement Zero Trust across all DoD networks and systems. It also includes a number of tools and technologies that can be used to implement Zero Trust.
The strategy describes a Zero Trust target level and an advanced level, allowing for an iterative, incremental approach towards Zero Trust, with:
91 targeted activities
61 advanced activities
This publication is a valuable resource for anyone who is interested in learning more about Zero Trust security.
A separate article will be published on this document as it provides a comprehensive overview of the topic and outlines the iterative steps that organizations can take to implement a Zero Trust security model.
March 2023:
NSA CSI: Advancing Zero Trust Maturity Throughout the User Pillar
Another NSA “cybersecurity information sheet” (CSI), this one focusing on the user pillar. The paper starts with a quote:
“At least two-thirds of cyberattacks are now focused on impersonating trusted users and systems to access vital data or critical systems.”
That bears repeating - AT LEAST 66% of cyberattacks are targeting identity.
Attackers are no longer going after your credit card, they’re going after your login.
This paper provides recommendations for maturing identity, credential and access management (ICAM) capabilities to effectively mitigate such cyberattacks. It further discusses how these capabilities integrate into a comprehensive Zero Trust framework.
The user pillar expands and refines the capabilities associated with the Federal Identity, Credential, and Access Management (FICAM) framework to address the enhanced threat to identity, credentials, and access management. This CSI identifies these capabilities and aligns them to Zero Trust maturity levels for the user pillar.
The FICAM Framework and user pillar capabilities include:
Identity Management
Credential management
Access Management
Federation
Governance
With identity being core to a Zero Trust strategy, this guidance is extremely important and valuable, and should be referenced as part of your Zero Trust journey.
Summary
If it wasn’t clear before, I hope by now you can see how committed the US Government is in aggressively pursuing the advancement of Zero Trust across all Federal Agencies, as well as setting the stage for private industry. These bountiful resources are available to everyone to help elevate the state of the Zero Trust cybersecurity practice, and I sincerely hope you take advantage of them to help you on your own Zero Trust journey.
We are stronger as a community of practice. Stay safe and do not hesitate to start your Zero Trust journey!
Initiative Summary Table
To help clarify the full picture of all US Government activity related to Zero Trust, this table presents a consolidated view of all initiatives in timeline order. Each item is also linked to the source:
| Date | Initiative | Agency |
|---|---|---|
| Aug 2020 | NIST SP 800-208 Zero Trust Architecture | NIST |
| Feb 2021 | NSA CSI: Embracing a Zero Trust Security Model | NSA |
| May 2021 | EO14028 on Improving the Nation's Cybersecurity | Executive |
| Jun 2021 | CISA Zero Trust Maturity Model | CISA |
| Jan 2022 | M-22-09 Advancing Zero Trust Architecture | OMB |
| Feb 2022 | NSTAC Report: Zero Trust and Identity Management | NSTAC |
| Jul 2022 | DoD Zero Trust Reference Architecture version 2.0 | DoD |
| Aug 2022 | NIST SP 1800-35: Implementing a Zero Trust Architecture | NIST NCCoE |
| Nov 2022 | DoD Zero Trust Strategy | DoD |
| Mar 2023 | National Cybersecurity Strategy (NCS) | Executive |
| Mar 2023 | NSA CSI: Advancing Zero Trust Maturity Throughout the User Pillar | NSA |
| Apr 2023 | CISA Zero Trust Maturity Model version 2 (JUST RELEASED) | CISA |
Join Our Community
We greatly value and have deep commitment to providing valuable insights and resources to help our community stay safe in an ever-evolving threat landscape. We invite readers to subscribe to learn more and follow us on LinkedIn to stay up-to-date with the latest news and trends in cybersecurity. Together we can build a more secure future!
