The Biden administration is prioritizing cybersecurity for today’s evolving threat landscape, with a recently proposed federal budget for fiscal year 2024 that includes a spending increase of $12.7 billion for cyber-related activities within federal agencies.
Any discussion about federal IT modernization and cybersecurity practices, however, must begin with implementing an effective zero trust architecture, or ZTA.
In 2021, The White House issued an executive order requiring federal agencies to assess their cyber environment and create a plan for implementing zero trust security. Following this EO, the Office of Management and Budget released a Zero Trust draft strategy, giving agencies until September 2024 to meet five “specific zero trust security goals” in relation to zero trust.
The government has made it clear that cybersecurity going forward will be built upon ZTA.
Taking (Centralized) Control
A zero trust environment begins with identity and access management—in other words, authentication and authorization. The primary unit of control in a zero trust environment moves from the network to an identity-based model. With the increasing demand for the efficiency and speed enabled by automation, the ability to authenticate humans and machines and enforce well-defined access policies is critical.
To build a zero trust architecture, it’s important first to centralize the management and control of credentials, keys, certificates, tokens, or any other secrets in your environment. Identities can then be authenticated from a trusted source and authorized for access to applications and services. Centralized secrets management establishes who and what can enter your environment and how users, devices, and applications are authorized to act, giving IT administrators more control and visibility across the entire organization.
Identity management sounds simple, but as infrastructure evolves at a rapid pace and moves to the cloud at scale, security standards and practices must evolve too. The cloud extends the network perimeter outside the traditional data center, increasing the blast radius and opening up the environment to increasing security threats. What’s more, multi-cloud environments by nature include any number of identity providers, complicating the management and control of identities across the entire environment.
Having centralized secrets management is in fact core to building a zero trust environment. However, it’s only the first of several considerations when implementing ZTA.
Considerations for Agencies
A crucial early step for federal agencies is assessing current policies and strategies regarding data protection and identity management to understand system strengths, weaknesses, and gaps. One good sign that an agency is prepared for zero trust architecture is the use of identity, credential, and access management tools and, even better, having a central ICAM office in place. Investing in and creating policies around modern ICAM technology is imperative to creating a robust zero trust architecture.
From a personnel perspective, the federal cyber skills gap continues to grow—in fact, public sector cybersecurity demand grew 25% throughout 2022 with 45,708 job postings, according to NIST’s National Initiative for Cybersecurity Education. Federal leaders must seek innovative ways to develop the necessary and relevant skills to retain and grow a talent pool already in high demand, as agencies compete with industry to fill openings.
The widening skills gap comes at a time when cyber-attacks are seeing an increase of 238 percent. Cybersecurity training and development, along with programs to drive recruitment and retention of critical talent and skills, must be key considerations for agencies in the proposed federal budget.
The fast pace of technology innovation today makes regulatory compliance increasingly difficult. To achieve operational readiness and authority to operate in this environment, some of the proposed funding could be targeted toward streamlining acquisition processes and requirements. Continued collaboration between industry and federal decision makers is also key.
In late 2022, NIST solicited industry feedback from technology companies to flesh out the details of its zero trust architecture. The federal government looks toward industry to provide recommendations and drive innovation for the public sector. The federal government must continue to facilitate, strengthen, and prioritize partnerships with industry to continue to drive IT modernization and cybersecurity innovation.
The proposed federal budget is a step forward to foster these relationships and prioritize crucial cybersecurity technologies to protect our nation’s critical infrastructure. With a potential budget increase, IT decision makers should aggressively pursue investments in ZTA, starting with comprehensive identity and access management. Creating a safer, more secure digital environment is indeed a journey – and that journey has the potential to accelerate with much-needed federal funding.
Tim Silk is regional director, solutions engineering, at HashiCorp Federal, a supplier of software products and services to federal agencies.
Have an opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.