The Biden administration said it wants federal agencies to steer toward a zero trust architecture in its IT security deployments. It put out the call in a May 2021 executive order on improving the nation’s cybersecurity.
Now, the Office of Management and Budget has made that imperative more concrete. It recently released a federal zero trust strategy document, which requires agencies “to meet specific cybersecurity standards and objectives by the end of Fiscal Year 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.”
This could have big implications for the GovCon community.
“This is an amazing resource for the contracting community,” said Michael Baker, staff vice president and chief information security officer at GDIT. The strategy “provides clarity and direction to President Biden’s zero trust mandate in the May 2021 Executive Order.”
Others, too, give the White House high marks for keeping up the momentum.
“As a leading systems integrator for the government, Leidos is proud to see OMB prioritizing Zero Trust security architecture to protect data,” said JR Williamson, Leidos senior vice president and chief information security officer.
“With threats of cyberattacks constantly on the rise, it is imperative that we all work towards adopting a Zero Trust framework to substantially improve security policies and processes, to harden environments against attacks, and minimize the impact if an organization is compromised,” he added.
Why Zero Trust?
The zero trust security framework requires that in the absence of a conventional network edge, all users on the network be authenticated, authorized and continuously validated in order to gain access to needed applications and data.
The administration’s stated aim here is to reduce the risk of successful cyberattacks against federal digital infrastructure. In announcing the strategy, OMB cited events such as the recently-revealed Log4j vulnerability — which allows attackers to execute code remotely on any targeted compute — as evidence that adversaries continue to find new opportunities to compromise federal systems and processes.
“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the Federal Government’s cyber defenses,” Acting OMB Director Shalanda Young said in a news release.
“This zero trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm,” she added.
By implementing zero trust, agencies can ensure they have the security they need to deliver higher-level digital experiences. The newly announced plan “provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public,” said Federal Chief Information Officer Clare Martorana.
The GovCon Angle
The contracting community has a vested interest in supporting agencies’ zero trust ambitions.
“As both our customers and industry progress on our journey towards zero trust, this strategy provides some clear benchmarks along the way across identity, device, network, applications, workloads, and data,” Baker said.
To that end, GovCons can play a pivotal role in driving the federal embrace of this emerging architecture.
“Oftentimes, the hardest part about embarking on these large transformative journeys is just knowing where to start — providing the vision and action items brings needed clarity to focus time, energy, and investment,” Baker said. Contractors can leverage the strategy “to transform our own environments with a commitment to lead from the front and meet our customers’ expectations.”
Government officials, meanwhile, say they will in fact be looking to industry to support agencies in this effort.
“It was extremely important for us to work collaboratively with top experts across the government, industry and academia and build consensus around the highest value starting points for a defensible zero trust architecture,” Federal Chief Information Security Officer Chris DeRusha said in a news release.
With support from the contracting community and others, this strategy “will serve as the foundation for a paradigm shift in Federal cybersecurity, and provide a model for others to follow,” he added.