On May 12, 2021, the White House released an Executive Order (E.O.) on improving U.S. cybersecurity. The directive’s third section, entitled “Modernizing Federal Government Cybersecurity,” requires Federal Civilian Executive Branch (FCEB) agencies to begin moving to a zero trust architecture (ZTA). For instance, it commands each agency head to “develop a plan to implement Zero Trust Architecture” with 60 days of the Order’s release. The mandate further emphasizes the importance of ZTA as a way of balancing agencies’ ongoing migration to cloud technology with their duty to help to defend the federal government against digital incidents.
The Challenges of Building a ZTA
There are three recognized ways for FCEB agencies within scope of the Executive Order to build a ZTA. These are as follows:
- Identity-centric: Under this approach, security teams emphasize the identities of their users, endpoint devices, applications, and other resources. They do this by creating access policies based on their documented identities and their assigned attributes. Those policies reflect the principle of least privilege along with device used, asset status, environmental factors, and other security attributes.
- Network-centric: Here, security teams focus on protecting access to their resources based upon their location in the corporate network. They draw upon Software Defined Networks (SDNs), Next Generation Firewalls (NGFWs), intelligent switches, and other technologies to enforce those access policies.
- A combination: The third and final ZTA methodology blends both Access Management in the cloud and Software Access Service Edge (SASE).
Even so, FCEB agencies and other organizations sometimes struggle to implement the approaches discussed above. Only a fifth of organizations in a 2021 study said that they were very confident in their organization’s understanding of a zero trust model, reported TechRepublic. Approximately 70% indicated that they were somewhat confident, while around one in 10 admitted to having minimal confidence. When asked why they lacked confidence, survey participants named two barriers the most. These were a lack of clarity around how they should implement zero trust as well as the need for ongoing identity and access management (IAM) capabilities, both cited at 32%.
Some challenges apply to federal agencies specifically. The speed with which FCEB agencies are expected to implement new security approaches isn’t always feasible, for instance. Part of the reason is sometimes a lack of adequate funding to support those changes.
“A lot of these executive orders are unfunded mandates,” said Theresa Payton, CEO of Fortalice Solutions and former White House CIO in the George W. Bush administration, to CSO.
“Typically, a bucket of cash doesn't fall out of the sky. It's up to the Office of Management and Budget to understand appropriations that have been allocated to encourage the departments and agencies to allocate previously appropriated funds to the executive order.”
A lack of funding isn’t an issue in the case of this particular Executive Order, however. Just a few weeks after the release of the E.O., the White House requested that an additional $500 million be added to the federal government’s Technology Modernization Fund for cybersecurity improvements. It also asked for nearly $10 billion to go to civilian cybersecurity programs across the government, reported FedScoop. Several months later, the Office of Management and Budget (OMB) released an official strategy for helping the U.S. government embrace a zero-trust approach to cybersecurity. Together, these actions provide agency heads with the resources and strategic vision that they need to confidently build zero trust in their organizations.
An Even Larger Ring of Challenges
By design, the Executive Order discussed above concerns only agencies at the federal level. It doesn’t directly pertain to or mention state and local government agencies. But that’s not to say those organizations can’t use the E.O. to inform their security journeys. Indeed, this sets the tone not only for other public agencies but also for entities in other sectors. Danna Bethlehem Coronel recently noted in another article how there tends to be a trickle-down effect with these Executive Orders into different sectors, something which we see with many regulations. Subsequently, other public agencies can use the E.O. to guide their security efforts going forward.
These organizations suffer from their own share of challenges, however. GovTech noted that these smaller public bodies face the same security challenges as large organizations. The difference is that they don’t have resources to integrate multiple products together into a comprehensive security strategy. Nor do they have the requisite internal expertise to confirm that they’ve deployed those solutions correctly and to manage them going forward. This leaves those organizations more vulnerable to a digital attack.
Balancing Budget and Expertise
The challenges discussed above emphasize the need for FCEB agencies and public sector organizations everywhere to pursue their zero trust efforts in a way that compensates for a lack of internal security expertise while saving on budget allocations. I’ll explore Thales Cyber Packs that include authentication and data encryption services, as one path forward in my next blog. Stay tuned for an in-depth exploration of what these involve.