In a year marked by significant cyber events – the White House’s Executive Order on Improving the Nation’s Cybersecurity made it clear that maturing our cyber defenses is a priority for our country. The Executive Order (EO) highlights the need for cybersecurity modernization – specifically through advancement toward zero trust and migration to secure cloud services.

Zero trust is a cybersecurity framework developed around the concept of “never trust, always verify.” It requires all users, whether they are inside or outside an organization’s network, to be continuously validated to access applications and data. This is assessed against five key pillars: identity, devices, network and environments, applications and workloads, and data.

Where to Start?

The Cyber EO requires all Federal agencies to develop a detailed plan to implement a zero trust architecture. The Office of Management and Budget and Cybersecurity and Infrastructure Security Agency (CISA) published its final version of zero trust strategy in January, which provides roadmaps for agencies to transition to zero trust models and securely migrate to cloud services over the next two years.

Here are some steps to consider in the process:

  • Define the protect surface: Everything starts with the data; you can’t defend what you don’t know you have. The first step is to conduct an audit of the data, applications, and other services you use within your network. Identify these elements, determine where they reside, and start categorizing them by value and risk.
  • Map data transaction flows: A critical component of zero trust is preventing adversaries from moving laterally in your environment to access other assets. It’s critical to understand how and where data flows – across all five key pillars. With a map of your environment, you can create enforcement points throughout your architecture to secure, manage and monitor devices, users, applications, and other network activity.
  • Architect the environment: Define the technology capabilities you need to defend the protect surface and data transaction flows across the five key pillars. For example, from an identity perspective, implementing identity, credential, and access management solutions (ICAM) will enable you to track user identities across the network and ensure access is limited to only those who can verify they need it.
  • Create policies around access: Consider who needs access to what data and applications, and what security standards must their devices meet to gain access.
  • Monitor and maintain: Define how you will monitor and maintain your environment going forward to assess your protect surface and enforce policies. Automated decisions around trust, such as looking for suspicious network activity and shutting it down at machine speed, are needed at scale – and investments are necessary.

These five steps named in the guidance, which must be met by the end of Fiscal Year 2024, closely align with the five pillars of the Zero Trust Maturity Model published by the CISA.

The Importance of Partnership

As agencies modernize their cybersecurity programs, they must approach every decision – across technology, process, and people – with a zero trust mindset. It’s important that agencies seek an industry partner with holistic, enterprise-wide experience and expertise across all five zero trust pillars to help guide them on their journey.

Agencies need a partner who has the required capabilities as well as proven experience developing reference architectures. Trusted partners in the cyber industry know that cyber is not a singular part of the mission – it’s the thread that connects every endpoint, network, and person.

GDIT, for example, has worked with the Defense Information Systems Agency (DISA) on its ICAM program, to identify efficiencies, facilitate strong authentication to cloud services, provide authorization services with role-based access, and enable better and faster audits of users and resources. This program is a critical pillar of the Department of Defense’s (DoD) ultimate push toward a zero trust architecture.

Agencies can also look to trusted partners to leverage zero trust architecture to modernize their infrastructure and secure their move to the cloud. As the DoD continues to migrate its users to the Defense Enterprise Office Solution (DEOS), the cloud-based environment that will deliver collaboration services to the DoD, zero trust architectures will provide an added layer of security and authentication to support rapid migration.

As agencies modernize their cybersecurity programs, they must approach every decision – across technology, process, and people – with a zero trust mindset. It’s important that agencies seek an industry partner with holistic, enterprise-wide experience and expertise across all five zero trust pillars to help guide them on their journey.

Dr. Matthew McFaddenVice President, Cyber & Distinguished Technologist

Opportunity Ahead

While advancing toward a zero trust architecture is a challenging undertaking for our government, it is a necessary evolution to help us meet today’s sophisticated cyber threats head-on. Ultimately, zero trust will serve as an enabler for broader digital transformation, making it easier and more secure for agency users to work productively and safely from any device, from any location.

The requirements and timelines outlined in the Cyber EO are ambitious, representing a monumental shift across how government networks are secured, software is procured, and cyber teams operate and collaborate. It’s important to get started today. Take small steps, make forward progress, iterate over time, and use lessons learned to make informed decisions for the future. And you don’t need to do it alone – seek out a partner who can support you every step of the journey.