The U.S. federal government might not be known for moving quickly on some fronts. But when it comes to the need to improve cyber security and adopt a zero trust architecture, there is clearly a sense of urgency.
The mandate issued by the White House in May 2021 in the form of an executive order to improve the nation’s cyber security leaves no doubt about how important it is for government agencies and those organizations that do business with them to abide by zero trust policies.
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the order states. The federal government “must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.”
Why does the mandate say we need "bold changes" and to avoid "incremental improvements?" Because the public and private sector can't be slow anymore when it comes to dealing with constant cyber risks and threat actors. The sense of urgency is brought home in the fact that basically every deadline included in the document is within one year of the order’s release.
Zero trust is an evolving set of cyber security paradigms that transform defenses from static, network-based perimeters to focus on users, assets, and resources, according to the The National Institute of Standards and Technology (NIST). The model assumes that there is no implicit trust granted to assets or user accounts based solely on their physical or network location.
Zero trust assumes that no users or devices are to be trusted without continuous verification.
“In the traditional IAM models, even though strong levels of authentication are more or less required, there is still an implicit level of trust that is often taken for granted,” writes Holli Hagene in a recent Exterro blog post. “For example, employees that have been around the longest in a business could bypass certain authentication mechanisms without being questioned at all.”
With the zero trust framework, she writes, it takes this principle to another extreme in which nobody is trusted in both the internal and external environments to your company. In other words, it is not just end-users, but even devices, and the higher-ranking members of both the C-suite and the board of directors that cannot be trusted at all.
For zero trust to work optimally, however, organizations must remove barriers to sharing threat information. As the executive order notes, the federal government contracts with service providers to conduct an array of day-to-day functions.
This includes cloud service providers that have unique access to and insight into cyber threat and incident information on federal systems. But current contract terms or restrictions might limit the sharing of such threat or incident information with executive departments and agencies that are responsible for investigating or remediating cyber incidents, the order says.
“Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained” by the federal government, the order says.
The Administration wants to ensure that service providers collect and preserve data and reporting relevant to cyber security event prevention, detection, response, and investigation on all information systems over which they have control. This includes systems operated on behalf of agencies. The service providers are also required to share with federal government entities all the data related to cyber incidents or potential incidents relevant to any agency with which they have contracted.
The executive order also mandates service providers collaborate with federal cyber security or investigative agencies in their investigations of and responses to incidents or potential incidents on federal information systems, including by implementing technical capabilities such as monitoring networks for threats in collaboration with agencies they support, as needed.
There are quite a few additional, detailed mandates in the executive order for companies that work with the government—all of which have deadlines associated with them. Any company that provides services to the federal government needs to be aware of these mandates and work toward meeting them—otherwise they can expect to experience lost business.