On January 26, 2022, the White House introduced a new cybersecurity directive to reduce cyberattacks against federal agencies and their digital infrastructure. With the 2020 Solar Winds hack still fresh in the minds of many in the IT world and the even more recent Log4j security issue, it should come as no surprise that the government is now looking to secure and strengthen its internal workings more than ever.
The memorandum, which standardizes all Office of Management and Budget (OMB) expectations, was sent to all federal agencies and mandates adopting a zero trust architecture system. Since it’s release, government agencies were given 30 days to appoint a strategy lead for their organization and then 60 days after that to submit an implementation plan for the fiscal year 2022 to 2024 followed by an estimated budget for the fiscal year 2023 to 2024. The ultimate goal is that by September 2024, federal agencies will meet five specific zero trust goals focusing on identity management, devices, networks, data, and applications.
While many applaud the new initiative, there are concerns within some federal agencies that the timelines are too aggressive and that their staff is not ready to make all the changes necessary, per a recent survey. With the clock literally ticking, we will explore how those tasked with this responsibility can best prepare for zero trust compliance.
Changing Culture: Overcoming Staff Distrust of New Protocols
Federal agencies can sometimes be set in their ways and take a very long time to respond or change how they tackle big projects. When it comes to executing zero trust security, it simply comes down to ensuring that every user and device connected to an agency’s network is verified and that users only have as much access as they need, nothing more or less. That includes internal staff and executives who may feel they should have more access or broader privileges because they work in an elevated role at the agency.
The reality is that threats can come for both the outside — and the inside — of an organization. No piece of technology or any user can be 100 percent trusted. That’s why the security model is called zero trust. Adopting a least-privilege model is the smart way to go. Depending on an agency’s specific system, network privileges can be assigned to individual users based on business units, roles, seniority, and other factors.
The least-privilege model can be a hard pill to swallow for some who have worked at an agency for a long time. They may suddenly feel that they are now not trusted despite years of service. It may take some time for recent hires or those unfamiliar with zero trust protocols to get them entirely used to the concept. Before any implementations are made, it’s a good idea to fully brief staff and any vital users and make them fully up-to-date on zero trust principles. This is especially necessary to get staff buy-in on any necessary protocol changes so that they feel like a vital part of the solution and not viewed as a potential source of trouble.
Utilizing Existing Technology in the Marketplace
When it comes to reaching the OMD’s accelerated timeline for zero trust, some federal agencies may feel that they have to requisition the development of brand new technology. The risk is that in their rush to meet the specific deadlines, they may overlook existing resources that can help speed up the process and ensure a successful transition.
For example, the OMB zero trust mandate asks that each agency prioritize resources adopt and use cloud technology. That includes utilizing such services as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PasS). In addition, agencies will need to centralize and streamline access to data to help inform analytics, improve their use of analytics to identify and manage potential risks, and invest in both technology and personnel to meet the government’s modernization goals.
Fortunately, many existing cloud-based technology solutions already exist that can be integrated to fit an agency’s specific needs. This can save time and money in development, deployment, and implementation since the individual vendor has already done most of the build-up work. Also, hiring an IT consultant that understands both the technology and how it can work best specifically for government use can certainly expedite the process.
Today’s Hybrid World and the Impact on Implementation
The most pressing factor federal agencies will need to consider when meeting the new mandates is today’s new hybrid workforce world. Since the pandemic, many federal workers are either 100 percent teleworking or employed in a hybrid schedule. In 2020, 45% of all agency employees teleworked that year, according to the Office of Personnel Management (OPM). Of everyone eligible to telework, 90% did just that in 2020 compared to 56% in 2019.
With the federal government continuing to encourage telework, the mandate to implement zero trust compliance is even more critical. With so many employees either working from home, in an office, or anywhere with a Wi-Fi connection, the opportunities for a cyber attack rise exponentially. Because of that, the old ways of “perimeter defense” or creating a security plan based on everyone working in the same office no longer works today.
To implement zero trust compliance, agencies must ensure that all technology used by their employees, from computers to cell phones, is entirely secure. In addition, agencies must implement multi-factor authorization for users to access networks and applications along with endpoint security to ensure devices are not compromised. Finally, continuous monitoring and response to potential threats are crucial to preventing a possible attack.
To meet the OMB’s cybersecurity goals, every federal agency will need to develop a plan and budget that meets their organizational needs and keeps their staff satisfied, especially in our new hybrid workforce reality. A “one size fits all” plan will not work. That’s why agencies should seek resources and experienced consultants familiar with the government world and current technology to help make implementing zero trust a successful reality.
Does your agency or organization need guidance or additional support to fully implement zero trust compliance? Reach out to J5 Consulting and connect with our team of IT experts.