Zero Trust or Bust

Recently issued Executive Order 14028 serves as a call to action for the federal government, in partnership with private industry, to make “bold changes and significant investments” to strengthen the cybersecurity posture of the nation.

Among its objectives, the executive order mandates accelerated adoption of multi-factor authentication, encryption of data, and pursuit of zero-trust architectures by federal civilian executive branch agencies. As the requirements of order 14028 are executed over the next year and beyond, one primary consideration should drive implementation: who gets to see what content? 

Encryption alone is not a data-centric security approach. However, sound security policies can be enforced through encryption, even at the data level, through use of a consistent and diligently applied approach to access control built on a zero-trust model. 

Elements of Zero Trust 

Zero trust is predicated on the fact that, within the context of an information system, trust is never assumed or inherited, and, per NIST SP 800-207, it “involves minimizing access to resources (such as data, compute resources, and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request.”

Phases of Implementation 

Enterprise-level zero-trust implementation plans, as called for in the executive order, should address the above elements by first setting a zero-trust vision that identifies a target end state, including a best-fit approach per element that reinforces organization-specific mission objectives. Once a vision is established, agencies can begin to set an execution strategy, which could include policy updates, governance body spin-up or change in operations, hiring, end-user and system administrator training, procurement or reallocation of resources, to name a few. Finally, beyond regular reporting requirements, agencies might offer a briefing of their experiences to their relevant governance bodies or to one of the several federal interagency coordinating bodies, for example, the Federal CIO Council, relevant interagency policy committees or other communities of practice. Agencies could also help others learn about effective security technologies by partnering with the National Cybersecurity FFRDC through the Work for Others Program, managed by the NIST National Cybersecurity Center of Excellence.

Read more at: Nextgov