President Joe Biden signs executive orders on immigration Feb. 2, 2021, in the Oval Office of the White House. As the Biden administration pushes the government to adopt zero trust architectures, OMB's top security official said smaller or independent agencies will need to be held to different standards on adoption. (Official White House Photo by Adam Schultz)

The Biden administration wants to push the federal government away from many of the network perimeter-based defenses it has historically relied on for cybersecurity and towards “zero trust” IT architectures and strategies.

The specific goals and deliverables that federal agencies will be on the hook for are spelled out in an Office of Management and Budget memorandum issued in late September, with many timelines for completion set for 2024. However, Federal Chief Information Security Officer Chris DeRusha said that his office, which will oversee much of the transition work across civilian federal agencies, recognizes the vast disparities that exist between different departments and agencies, and won’t hold every entity to the same standards.

“Agencies vary in resources and size and capability. You have some very sophisticated, large agencies [with] hundreds of thousands of people, all the way down to agencies where your functional CISO is also wearing three or four other hats,” DeRusha said during the Billington Cybersecurity Summit this week. “That is just the reality of it, so we do have different levels of expectations and we’re also considering shared-service models for the smaller agencies and how we can bring a lot of those capabilities to them.”

While it may be “wholly appropriate” for larger agencies to create or implement their own architecture and technologies around zero trust, smaller and less mature agencies are simply not going to have the same budget, resources or robust security teams in place to meet some of the more ambitious goals set out by the Biden administration. That reflects some of the questions federal IT officials have been publicly grappling with since the OMB memo was released.

It also mirrors the approach that the Cybersecurity and Infrastructure Security Agency took for similar security programs implemented across civilian agencies, like Continuous Diagnostics and Mitigation, splitting agencies into different groups — including a specially designated group for small and independent agencies — to better meet their individual needs and budgets.

DeRusha said that’s also why the administration decided to put the draft strategy out for public comment, even though the underlying White House executive order authorizing the strategy didn’t require them to do so. There are likely many smaller or nontraditional organizations in the private sector with mature zero trust architectures and strategies that could translate to smaller agencies, something the government wants to take advantage of.

“We did that because we recognize this is a beginning stage of a paradigm shift for everyone, and there are some organizations that are further along than we are and we really, truly want to learn from those experts and get their feedback and make sure that we have the right plan moving forward,” he said.

One of the challenges agencies will have to grapple with is figuring what zero trust architecture will look like and what actual investments, technologies and processes it will require. While many security experts endorse zero trust as an easy framework to convey the modern threat landscape to executives and non-technical decision-makers, it’s more of a philosophy around security than an endorsement of a particular product or system. That hasn’t stopped it from becoming a catchall label for many vendors and their marketing departments, who now routinely bombard companies (and journalists) with claims that buying their stuff equals doing zero trust.

While this transition is often discussed in the context of installing new technologies and processes, it can also represent an opportunity for some agencies to do an IT version of spring cleaning, identifying existing tools or protections that no longer serve a purpose or fit into a security strategy not based on defending a network perimeter.

“This isn’t about just buying new tools, right? This is also about saying where do we have things stood up that we don’t need anymore … maybe we don’t need to maintain or refresh some of the tools that we already have,” said Dr. Kelly Fletcher, acting CIO for the Department of Defense.