Never Trust, Always Verify

The Issue

The federal government’s latest guidance aimed at improving the nation’s cybersecurity demonstrates a commendable shift in priorities — moving away from perimeter defense and firewalls and instead embracing zero trust architecture (ZTA) to create resilient systems. For the government to succeed in this transition, it must recognize that ZTA is more about mindset and culture than it is a standardized roadmap. The government should act with urgency to adopt this mindset and specific plans for implementation, even while emphasizing that implementation will be an ongoing process over several years.

Introduction

Recent nation-state cyber operations targeting U.S. federal government information systems, including the 2020 SolarWinds supply chain compromise, are motivating ambitious efforts across the executive and legislative branches to create resilient information systems and modernize federal cybersecurity. U.S. cybersecurity leaders are pursuing these modernization efforts across several lines of effort, with the White House issuing multiple executive orders, the National Institute for Standards and Technology (NIST) issuing new standards and guidance, and Congress evaluating major revisions to the Federal Information Security Management Act (FISMA).

Uniting these diverse initiatives is the emerging consensus that resilience is best achieved by a “zero trust” approach to cybersecurity. Above all else, zero trust, or zero trust architecture (ZTA), should be considered a security design philosophy — rather than a specific suite of technologies — that reflects a security approach of “never trust, always verify.” This approach stands in sharp contrast with traditional information technology (IT) network designs that rely heavily on trusting devices connected to a network and only verifying identity once. Endpoint security, which CrowdStrike defines as “preventing, detecting and remediating cyberattacks for any device, whether it is connected to a traditional network or in the cloud,” is a key element of ZTA. The endpoint security net extends to a large number of devices, geographic regions and network types,” including laptops, mobile phones, tablets, and Internet of Things (IoT) devices. The scale and complexity of the endpoint security challenge is rapidly transforming the types of tools necessary to secure an organization’s endpoints. Increased mobility, along with Bring Your Own Device policies, and the increased adoption of IoT reflect an endpoint security mission that has rapidly surpassed traditional approaches, such as deploying anti-virus software on physical workstations. Going forward, organizations will need to integrate a diverse array of endpoint security components into their broader ZTA strategies. As Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly recently argued, adopting zero trust “really is a journey,” and identifying and implementing the right suite of measures will be a major challenge for many federal agencies.

To assist the U.S. federal government’s efforts to improve its cyber defenses, the Center for Strategic and International Studies (CSIS) undertook a six-month research project focused on examining federal zero trust implementation. Working from CISA’s existing Zero Trust Maturity Model guidance, CSIS focused its analysis on whether zero trust is the right answer for the federal government and, having established the benefits of this approach, what obstacles exist to implementation.

Researchers focused on two key elements of zero trust: devices and identity. Although ZTA principles need to extend to every aspect of an agency’s enterprise, zero trust fundamentally begins with knowing what devices are connecting to agency resources, verifying who is using them, and then having the right policies and technologies in place to properly govern access.

CSIS interviewed cybersecurity experts from across industry and government and convened a structured workshop to answer five key questions:

• Is ZTA the right approach for improving federal cybersecurity?

• How can the federal government implement ZTA and endpoint security across its networks?

• What acquisition and security approaches are either contributing to or undermining efforts to integrate zero trust into federal networks?

• How should recent sophisticated cyber incidents influence decisionmaking on zero trust and endpoint security implementation?

• How have efforts to improve workforce mobility, made acute by the Covid-19 pandemic, accelerated or impeded implementation of ZTA and endpoint security?

This brief delivers the CSIS research team’s findings across four sections. It begins with a brief summary explaining the concept of zero trust and why it is imperative for modern enterprise security, including for the federal government. It then identifies several of the key barriers that are currently impeding federal government ZTA adoption efforts. The final two sections highlight enabling factors, recommendations, and next steps agencies, departments, and Congress can take as they build out their ZTA plans. The findings in this report are informed by interviews with cybersecurity experts (Appendix A) and independent research.

There is no single path to success in designing and implementing an enterprise architecture that is built on zero trust principles. While there will be many similar steps along the zero trust journey for all federal departments and agencies, their diverse missions, security requirements, and existing architectures — more than anything else — require approaches that are agile and adaptable across a wide range of use cases. Fundamentally, federal agencies and departments must make space in budgets for procurement and training, and Congress must consistently fund agency-specific cybersecurity enhancement plans.

There is no single path to success in designing and implementing an enterprise architecture that is built on zero trust principles.

Storming the Castle: Why Zero Trust?

Zero trust is often characterized as an alternative to legacy “perimeter-based” cybersecurity. For decades, enterprise cybersecurity efforts have revolved around the concept of “implicit trust.” Under this model, networks and systems were designed to defend against intrusions at a well-defined network perimeter. Imagine this perimeter as a medieval castle. The castle is surrounded by a moat and 40-foot-high stone walls. Access is granted only via a single gate, where guards scrutinize and verify the identity of each visitor. However, once admitted, one can move about freely. Some areas inside the castle are locked and guarded, but most are not. There is little scrutiny once someone is within the walls because their very presence means they have been vetted. They are implicitly trusted.

But what if someone is not whom they claim to be? What if they are an assassin disguised as a guard? What if they are secretly working for a rival kingdom and intent on theft and sabotage? Credential harvesting remains a popular entry point for malicious cyber actors. In a perimeter-based environment, those bad actors — once they gain initial access to a network — could potentially operate unconstrained within the walls. In 2010, Forrester analyst John Kindervag described how cybersecurity efforts that emphasized perimeter defense exposed organizations to a range of external and insider threats. In the process, he set forth the broad contours of ZTA. From the outset, the term zero trust meant that no activity, regardless of whether it originated inside the network or outside of its perimeter, should be assumed to be trustworthy. In terms of the medieval castle, this would mean increasing security inside the walls, such as by locking and guarding more doors and requiring visitors to repeatedly verify their identity as they move about the castle grounds.

Enterprises themselves have grown more complex. Organizations now effectively lack perimeters. Systems are increasingly migrating to commercial clouds, and organizations operate hybrid infrastructures where some resources remain on legacy data centers while others move to commercial clouds. As noted, the rapid pivot to telework and an increasingly mobile workforce are greatly complicating enterprise security planning, as a proliferating number of devices access agency resources. Moreover, organizations such as the Departments of Defense, State, and Justice and elements of the intelligence community continue to operate multiple networks, often geographically dispersed across the United States and the globe. The long-term incentive for ZTA is that it provides opportunities for vertical and horizontal scalability which will lead to cost savings and increased security over time. The progression from the high castle perimeter to a segmented, guarded ZTA is a continuum, involving many small measures that each contribute to a resilient, protected system.

Barriers to Implementation

Shifting from perimeter defense to ZTA is not as easy as flipping a switch; it is a complex undertaking. Further, it involves more than procuring new hardware and software. Making such a shift requires adopting new policies, processes, and structures. Executive Order (EO) 14028 directs the federal government to implement ZTA, but a number of budgetary and cultural hurdles could delay or prevent the widespread adoption of supporting policies and technologies. The following categories are key areas where agencies and departments might struggle in their respective attempts to design and implement a robust ZTA.

Shifting from perimeter defense to ZTA is not as easy as flipping a switch; it is a complex undertaking. Further, it involves more than procuring new hardware and software. Making such a shift requires adopting new policies, processes, and structures.

Budget and Acquisition

The requirements outlined in EO 14028 represent potentially significant changes in the software acquisition space. EO 14028 lays out several actions that will shape acquisitions, including revised contract language requiring companies doing business with the government to share information about cybersecurity.

▲ Table 1: Requirements Outlined in Executive Order (EO) 14028

The EO’s suggested changes represent a significant increase in data collection and preservation. These data-sharing requirements are often unpopular within industry because they are viewed as burdensome and may reveal vulnerabilities that commercial companies do not want to share with the government or of which the companies themselves are often unaware. These are necessary steps in moving toward ZTA, but government needs to anticipate and create policies and legislation to further mitigate these concerns and incentivize sharing. The EO requires the director of the Office of Management and Budget (OMB) to review the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement within 60 days, in consultation with the secretary of defense, attorney general, secretary of homeland security, and director of national intelligence, with recommendations posted for public comment within 90 days of that review. The Department of Defense (DOD), General Services Administration (GSA), and NASA opened public comment periods for Notice of Proposed Rulemaking, which closed in April 2022. As of May 2022, Defense Acquisition Regulatory Council staff were drafting the proposed rule. In concert, CISA’s Applying Zero Trust Principles to Enterprise Mobility, released in March 2022, called for “a tighter integration between [Enterprise Mobility Management] EMM and mobile threat defense and enterprise logging, monitoring, diagnostics, and mitigation systems is needed towards meeting [zero trust] ZT requirements of the May 2021 Executive Order 14028.” That included a draft Zero Trust Maturity Model, which was likewise open for public comment until April 2022.

To cover the costs of ZTA, the FY 2023 budget provides an additional $486 million to CISA, bringing its total funding to $2.5 billion, a portion of which will support the transition to ZTA. The Department of the Treasury’s Cybersecurity Enhancement Account demonstrates the priority put on the move to ZTA, allocating over $86 million of its $215 million in program increases — including 9 of its 21 proposed additional full-time equivalent staff — to the effort. Investments such as these point to ZTA as both a budget priority and long-term project.

While the specifics are still under development, EO 14028 calls for a substantial increase in security and resilience measures that, when implemented, should mitigate the damage during a breach. Implementing those measures will require new polices, processes, and IT architectures, which each agency and department must adapt to its needs. The full cost of transitioning to ZTA remains unknown, although over the long term, the benefits from ZTA, in the form of improved security and productivity, as well as the costs of not moving in this direction, will be substantial.

Tech Debt

Migrating an entire enterprise to ZTA is, invariably, an incremental process. A key consideration in migration is the need to manage legacy — often outdated — devices, systems, and architecture. Managing risk from this “technology debt” is a significant challenge for federal agencies.

The U.S. federal government spends approximately $90 billion annually on IT. However, according to analysis by the Government Accountability Office (GAO), the GSA, and members of Congress, much of this funding is dedicated toward maintaining legacy, often antiquated systems.

According to one expert interviewed in support of this report, departments and agencies often find it challenging to secure funding and authorization for new large-scale IT modernization efforts and relatively easier to obtain funding for existing systems. This dynamic often motivates agencies to focus on operating and maintaining existing systems rather than pursuing new capital investments. Over time, these forces have contributed to the federal government’s current level of technology debt. As a result, federal cybersecurity officials find themselves responsible for maintaining legacy, often mission-critical systems while trying to ensure that these systems do not become key weaknesses in the organization’s overall security posture. The federal government has, unfortunately, already vividly demonstrated how compounding technology debt can leave systems vulnerable to compromise. Despite the substantial privacy and national security implications of the compromise in June 2015 of personnel data and background investigation information at the Office of Personnel Management, more than six years later the agency was still struggling to implement wide-ranging enterprise security modernization initiatives.

In addition to funding and planning challenges, efforts to manage legacy systems can present a dilemma between user experience and security. Pursuing a seamless user experience, developers may integrate access to legacy services into newer capabilities. However, such an approach means that the new system could inherit any vulnerabilities present in the legacy service. In many circumstances, effective risk mitigation while migrating to ZTA may require federal agencies to consider temporarily degrading user experience in the broader interest of security. For example, adhering to the fundamental ZTA principle of “limiting the blast radius” of any successful breach requires agencies to segment their networks, particularly legacy systems and operational technology (OT). While such segmentation inevitably creates some friction for users by restricting their ability to move around the network, access certain data across the network, or escalate permissions, failing to close this vulnerability presents a greater risk. Further, implementing many ZTA authentication technologies ultimately can move segmentation into the background and allow the user experience to appear seamless.

In this process, communication with affected users needs to be an ongoing priority. Most importantly, users must understand that measures to wall off legacy systems from the rest of the enterprise are a necessary, temporary inconvenience to maintain the broader integrity of the organization’s IT systems. Such measures should be accompanied by a clear roadmap for modernizing the underlying technology.

Lack of Urgency and Behavioral Friction

During the roundtable discussion, participants agreed that agency leaders recognize that moving to ZTA is important. This conclusion is consistent with a recent Cyberscoop and Fedscoop report that surveyed agency leaders and IT experts across the federal government in December 2021. When asked to evaluate the impact of EO 14028 in “getting agency leaders to commit resources to critical cybersecurity projects,” 86 percent of civilian agency respondents, 81 percent of defense agency respondents, and 64 percent of intelligence community respondents either agreed that it was “game-changing” or “greatly needed.” However, a number of the CSIS roundtable participants also agreed that the conceptual acceptance of ZTA or the value placed on the EO has not translated into a commensurate sense of urgency.

A lack of urgency, expressed by the highest levels of the departments and agencies, could lead to superficial “box-checking” compliance in the near term — minimal exerted effort to meet the basic requirements of compliance — when what is needed are investments in comprehensive and dynamic plans that can be adapted over time. Though further investigation is required to fully assess the quality of agencies’ newly proposed ZTA designs and implementation plans, that same Cyberscoop survey also polled respondents on the following question: “How much progress has your agency made to date (as of December 2021) with building strategies around the EO?” Among respondents, 15 percent stated that roughly half of the strategies required have been developed. A staggering 43 percent believed roughly three-quarters of the required strategies have been implemented, and another 33 percent believed all the strategies required have been developed. The discrepancy between experts interviewed by CSIS and the survey responses from current agency leads and IT experts might indicate that some of the agencies are currently operating on a sense of complacency that enough has been done to satisfy the EO and, by extension, increase overall security.

Relatedly, behavioral friction can further thwart incentives for agency leaders to develop a greater sense of urgency and aggressively adopt more security policies that align with ZTA mindset. At the rank-and-file level, moving control frameworks closer to the user and device means establishing security procedures that add steps or require a change in habits. While security imperatives should outweigh ease of use, it can be difficult to push out these new processes to the larger workforce.

Unclear Policies

Misalignment between agency policies and OMB guidance can also cause confusion and unclear paths to ZTA implementation. For example, one of the roundtable participants noted that typical budget review and approval processes are not structured in a way to meet EO 14028’s ambitious FY 2024 deadline — budget cycles take years to catch up with new spending mandates. The budget process disincentivizes large-scale, long-term changes. Timelines are a good forcing mechanism, but short timelines with limited guidance could create budget issues for agencies that are having a difficult time prioritizing efforts in this space. It is still too early to determine how many agencies met the OMB’s initial reporting deadlines outlined in EO 14028 and how many either took advantage of the waiver exception or missed the deadline altogether.

Moreover, one interviewee noted that while each standalone policy might be important, the disparate policies do not help create coherent strategy when taken together. Coordinating offices — especially the Office of the National Cyber Director (ONCD) — are best placed to identify these disconnects and issue clarifying guidance.

Leadership and Accountability

Several interviewees noted that much of ZTA implementation relies on access to resources and high-level buy-in from agency leadership. Looking across the government, interviewees reported confusion about who is leading strategic coordination. OMB has the most clearly defined role, but CISA, the National Security Agency (NSA), and ONCD all provide guidance and play a larger role in actively managing progress across federal networks. Without clearly delineated roles at the coordination level, it can be difficult for cabinet secretaries and department heads to know whose guidelines should take priority.

▲ Figure 1: ZTA Management

While OMB has the current lead to help agencies prioritize initiatives during their ZTA migrations, it lacks sufficient staff and expertise to ensure implementation on its own. Other entities, such as ONCD, might have greater cyber expertise to both monitor and build out long-term plans with the agencies and departments. Budget oversight and review is key and is currently a joint effort led by OMB and supported by ONCD. It is important to note that this system of cooperation is most formally and visibly represented by the dual-hatted OMB federal chief information security officer (CISO)/deputy national cyber director position. However, the current arrangement potentially puts too much pressure on OMB. Instead, an existing department or office with a cybersecurity mandate should take the lead.

At the agency or department level, an added barrier is identifying which individual or office should be in charge of monitoring the ZTA migration progress. Though the specific role will vary depending on the agency, roundtable participants and a few interviewees alike emphasized that federal CISOs, though likely candidates to oversee ZTA developments, should not be in charge of this effort unless given greater authorities. Effective ZTA implementation requires oversight and control over relevant parts of the agency’s budget review and allocation process, authority to change security policies across the agency to make sure they align with ZTA principles, and the ability to sufficiently prioritize cybersecurity modernization when faced with other competing priorities.

Finally, beyond any confusion about who is in charge, there are questions about what these tasked individuals or offices are being held accountable for. The federal guidance is intentionally vague to provide flexibility to the agencies and departments on their ZTA journeys, but that also means there are no standard metrics to assess progress. One expert pointed out that it is extremely clear what failure or negligence looks like when it comes to physical security. It is less clear in the cyber domain, making it difficult to design agreed-upon standards by which to grade success or failure. A lack of clear expectations and a faltering sense of urgency is a recipe for complacency.

Perception Issues

Extending beyond the aforementioned challenges, a number of the experts noted that ZTA has a perception issue. The term itself has been around for some time, and to varying degrees, ZTA can still be seen as an overwhelming, costly, or time-intensive marketing gimmick.

Fortunately, much of the federal government, particularly national security agencies and departments, have been in the practice of adopting technologies and processes that, while currently insufficient, are foundational and compatible with zero trust frameworks. For example, one of the interviewed experts noted that even though industry is often touted as being ahead of government when it comes to designing ZTA, departments such as DOD are ahead of the private sector with regard to how data is classified, rationalized, accessed, and stored in a precisely segmented fashion. The more highly classified the data, the less trust is assumed or allowed in accessing this data, with more preventive controls based upon user identity, verification, and authentication mechanisms, enforced across physical and logical control planes.

As one of the roundtable experts remarked, ZTA works well when the “mission advantage” is well understood and clearly articulated. It is the same question that the private sector has to address — beyond security, how can implementing ZTA principles be framed as benefitting the bottom line?

Fortunately, much of the federal government, particularly national security agencies and departments, have been in the practice of adopting technologies and processes that, while currently insufficient, are foundational and compatible with zero trust frameworks.

Recommendations

Researchers identified the following seven initiatives that should be near-term priorities for government efforts to implement ZTA:

▲ Figure 2: Near-Term Priorities

In addition to the near-term priorities list, the CSIS research team identified the following additional recommendations that warrant consideration:

Agencies and Departments

1. Engage in network penetration exercises. The federal government should develop a cultural acceptance — even encouragement — of frequent penetration testing. Agency heads can encourage this mindset by acknowledging that security is never perfect and that a penetration test that finds nothing is a failed penetration test. Penetration testing and policies around asset management should go hand-in-hand.

2. Map system dependencies when doing asset management. It is important to not just be aware of what devices are connected on your network but how those individual devices interact with each other. By maintaining an accurate asset inventory, identifying critical assets, and factoring in dependencies between different devices in an enterprise’s network, an organization can be better positioned to make informed decisions regarding budgets, resource allocation, and acquisitions. Additionally, clearly mapping out system dependencies can help agencies understand potential cascading consequences and identify “single points of failure” or other key nodes. This in turn will help them better understand and prepare for a variety of malicious activity and can help agencies better anticipate complications as they attempt to replace all or parts of legacy systems.

3. Set priorities that are “contextually dependent.” Agencies and departments will have different contextual backgrounds that need to be considered when setting priorities. Different sectors of the federal government will be embarking on their migration efforts at different starting maturity levels, and the OMB’s zero trust strategy accounts for that. Agencies and departments are expected to all be moving in the same general direction but should set priorities that account for their current cybersecurity posture, agency mission and culture, leadership buy-in, and the overall working relationship of an agency or department with Congress.

4. Transition from vulnerable multifactor authentication (MFA) systems to more secure authentication mechanisms within the next few years. In addition to updating actual MFA policies and applications as needed, departments should gradually move toward even more secure authentication apps and processes, such as FIDO authentication. FIDO login credentials do away with usernames and passwords and instead rely on passkeys that are generated by a user during their first interaction with a device or website (e.g., biometric sensors). The passkey can then be automatically applied anytime the individual uses the device.

5. Designate deputy secretaries as the lead for ZTA implementation; however, agency heads are ultimately responsible for cybersecurity. The deputy secretary level is well placed to manage the internal processes necessary for the transition and also to remove roadblocks to implementation. Consistent, focused attention at the deputy secretary level will speed the transition. The buck still stops with agency heads, however, in particular when explaining progress (or a lack thereof) to Congress.

6. Demonstrate the mission value of migration to ZTA. Leaders should emphasize business and mission advantage to drive digital transformation. Doing so will incentivize key actors by providing a sense of direct benefits to their respective organizations.

7. Inform workflows with threat intelligence. User authentication should be informed by threat intelligence and enhanced by processes that enable continuous data enrichment, analysis, and correlation. Agencies and departments should evaluate methods for automating these processes using machine learning and other data analysis tools that can measure the quality and trust of the underlying threat data.

8. Enable Data Orchestration. ZTA implementation will require interaction of multiple technologies for user authentication at every level. If handled manually, this level of effort is unscalable. Agencies and departments should eliminate inefficiency and visibility gaps stemming from manual execution of tasks; instead, they should create an orchestration layer that is not bound to any one technology but underlies the entire ZTA architecture and engages with all tools.

Congress

1. Expand and streamline modernization and working capital funds. Initiatives such as the Technology Modernization Fund (TMF) and IT Working Capital Funds, both of which were enacted in 2017, have created new authorities and funding vehicles that agencies can utilize to accelerate their technology modernization efforts. Congress should annually or biannually set up a formal review of the programs, particularly the TMF, to ensure the funds are being appropriately and consistently funded year after year to meet broader federal cybersecurity needs. Congress should also consider establishing an “agility fund,” where agencies with urgent needs are able to quickly receive support funds if issues arise during their ZTA migration.

2. Conduct a formal review of the OMB and ONCD’s efforts to assist with overall ZTA plans. To ensure that the OMB, ONCD, and other agencies tasked with coordination are making necessary progress, Congress should better assert its oversight authority and closely monitor government-wide compliance with EO 14028. Different agencies will have varying levels of understanding of the importance of embracing ZTA. Congress must remind these agencies what is required of them in this endeavor. This emphasis is particularly important for independent agencies, as the Executive Office of the President will have extremely limited authority. Since ZTA migration is a multiyear effort, the CSIS team recommends a biannual review starting in 2024. Authority in Congress for this review is dispersed, as each agency or department reports to its own oversight committee, but the Homeland Security Committee is best placed to be a central oversight mechanism.

3. Enhance transparency of ZTA implementation progress. Federal government leaders should commit to transparently documenting and sharing lessons learned with other agency leads and Congress during the ZTA journey to “foster a culture of continuous improvement” and learning among agencies and departments.

4. Take a hard look at congressional systems. Congress is not immune from attacks, nor should it postpone a ZTA effort of its own. Congressional leaders should be asking hard questions of its own security measures.

CISA

1. Clarify role and authority. CISA is situated as a leader in the civilian federal zero trust journey, but its role in ZTA implementation is relatively unclear. There is a need to clarify the boundaries of CISA’s role and what authorities it has in enabling, managing, and assessing the progress of ZTA implementation at other departments and agencies. CISA is poised to play the role of ZTA enabler, yet clearer authorities would address the remaining loopholes and aid it in its ability to surge support to agencies along their ZTA journey. As recommended by interviewed experts and in a recent report from the National Security Telecommunications Advisory Committee (NSTAC), CISA should be a knowledge management center of excellence for ZTA for the civilian government, providing resources to further aid agencies, such as implementation guidance, reference architectures, capability catalogs, and training modules. Additionally, given the role and mission of CISA, it would be an ideal agency to implement a centralized model to surge support in implementation, tools, training, and teams to help with the adoption of ZTA.

2. Conduct studies with outside labs and research institutions to assess where ZTA migration disruptions might occur and how to best mitigate their impact. There will inevitably be some disruptions in the process of migrating to ZTA. However, repeated disruptions could kill willingness to move forward. CISA should not only pre-emptively identify where those disruptions might take place but also ways to mitigate issues that may arise. This is especially important when considering OT disruptions. OT is often controlling activity where disruption could have a significant impact. Failure to consider the unique requirements and challenges in the OT context could further stymie plans to transition to ZTA.

ONCD

1. Clarify roles and authorities (especially in relation to ONCD, OMB, and CISA). There is an opportunity for the ONCD to play a more visible role in processes related to high-level coordination, budget review, and information sharing as it relates to ZTA. For example, ONCD should draft the strategy and ensure coherence in its implementation, including overseeing budgets for ZTA. OMB has a potential “hammer” to ensure appropriate action is being taken, but ONCD will have deeper expertise to inform those decisions, analyze and assess progress, bring greater coherence to relevant budgets across departments and agencies, drive necessary decisions, and deconflict demands for resources. More clearly defining ONCD’s role as the overall lead for ZTA will also help more clearly define the boundaries of the authorities of the other agencies managing ZTA implementation vis-à-vis the ONCD and will help CISA stand apart as the more operational lead that can provide tools and expertise to help departments and agencies.

2. Create metrics to measure ZTA implementation successes. The NSTAC report recommended that federal CISOs, in coordination with ONCD, “establish or enhance the existing metric-based requirements tied to industry best practices for [ZTA] implementation with reporting accountability at the agency CISO-level or above.” The CSIS team recommends that interagency reporting accountability should be at the deputy secretary level. This will work best if CISOs and chief information officerss are given stronger authorities to sufficiently support agency and department-wide ZTA implementation. Agencies and departments should implement this approach, learning from industry successes and failures in this space.

3. Prioritize aligning policies both across the U.S. government and within each department and agency. Misaligned policies at any level could delay ZTA implementation.

Long-term Enablers for Implementation

Zero trust and a focus on endpoint security are necessary prerequisites to increasing overall security; however, to fully support a commitment to ZTA principles and grow institutional resilience, a number of the interviewed experts underscored that the federal government needs to have long-term plans to ensure both consistent funding streams and a fully staffed, properly skilled workforce.

Funding

Cyber threats to the U.S. government will only continue to grow over the next few years, whether from the expansion of nation-state cyber programs, existing adversaries upgrading their capabilities, or new technologies creating additional vulnerabilities. As a result, the federal government’s new zero trust strategy will have to be bolstered by funding to enable effective cyber defenses. On cybersecurity-related spending, the administration requested $10.9 billion for FY 2023, with an eye on funding a strategic shift in defending federal infrastructure and service delivery. In total, the administration seeks $65 billion for IT at civilian agencies, covering 4,290 investments at 24 agencies.

CSIS’s interviewees corroborated that, so far, funding processes have been a hindrance rather than an advantage in adopting new strategies for securing critical infrastructure. Furthermore, the current budgeting process and implementation strategies are not yet aligned with the government’s commitment to instituting a new ZTA strategy. Achieving full-scale federal cybersecurity and implementing endpoint detection and response (EDR) through ZTA will require the federal government to make difficult budgetary decisions and prioritize funding streams in favor of ZTA policies over other standard IT protocols at almost every stage of cybersecurity, including software and hardware acquisition, migration processes, and training in cybersecurity and digital technologies, among others.

To facilitate funding requests and allocation processes, the government must devise distribution plans according to priorities, breaking down milestones to achieve useful capabilities and distributing the funding accordingly. For instance, per an interviewee, data on the implementation strategies can be collected and assessed through trial stages to determine whether funding strategies need to be restructured and budgeted accordingly. In the same vein, the importance of strengthening procurement vehicles — delivery, data, testing and prototyping, and talent — for the different agencies cannot be understated. Reassuring agencies that their most crucial demands, such as next-generation hardware, prototyping funds, and talent recruitment, are being accounted for will increase the likelihood of their engagement in and optimism for the ZTA maturation process.

Agencies should operate within budget and will therefore seek funding before embarking on transitions to fulfill ZTA policies. Interviewed experts agreed that budget prioritization will be an inescapable layer in the larger ZTA implementation plan. To ensure every relevant agency obtains the necessary funding to shift toward ZTA and adopt EDR as a result, government budgeting bodies will need to be realistic about the expenses associated with these initiatives and the types of funding each agency will require while eliminating non-integrated and redundant solutions. In its role, the ONCD should assist agencies to prioritize and strategically coordinate funding. Additionally, per an interviewed expert, by providing more support for models that operate within the appropriations cycle, the ONCD can help agencies accelerate ZTA adoption.

Talent

Strong talent acquisition remains an ongoing challenge across the DOD and broader federal defense agencies. Among other things, cultural factors have largely impeded progress in hiring top technical and cyber talent. CSIS’s interviewees agreed that to secure the country’s critical infrastructure against cyberattacks and implement a culture of zero trust, the government needs to create a strong pool of individuals who are not only skilled for the job but also share the mission values. Creating a technically competent workforce is central to effectively implementing ZTA across the federal government since this model requires a cybersecurity understanding and mindset distributed across the federal employees responsible for implementing it. Workforce generation, therefore, is an important tool in the implementation processes of ZTA.

Hiring strong talent and creating a tech-leaning workforce can be achieved through two means: instituting reforms and new initiatives among hiring authorities and borrowing tech talent from the private sector themes that are strongly emphasized in the Cyberspace Solarium Commission 2.0’s recently published white paper on the cyber workforce. Interviews revealed strong consensus among government officials that federal agencies struggle to attract and retain critical talent. Above all, agencies must strategize on how to communicate the concept of zero trust to their workforce and adopt a mission strategy that the workforce can own as well.

Creating a technically competent workforce is central to effectively implementing ZTA across the federal government since this model requires a cybersecurity understanding and mindset distributed across the federal employees responsible for implementing it.

Talent acquisition and retainment are heavily contingent upon creating the right working culture and environment. The federal government has struggled with a cultural perception problem, where many people are repelled by the government’s bureaucratic and “slow-moving ship” reputation. To add to this problem, the federal government’s performance appraisal system currently does not incentivize adoption of ZTA principles or transitioning old cybersecurity approaches to new, robust measures within the federal agencies. Agencies should foster a cybersecurity culture that moves away from the check-list approach and instead embraces learning, innovation, disruption, and diversity in talent and skills and encourages employees to take on new initiatives without instilling the paranoia of failures. In short, it should adopt the private sector approach of “fail fast, recover faster.” Investment should, therefore, be geared toward fostering interest in the mission while acknowledging the zero trust learning curve, especially with individuals without a cyber background.

In a bid to obtain a much-needed cyber workforce, the government must collaborate with its fierce competitor for talent: the private sector. Some private companies are relatively able to better integrate new talent but also create new talent. These companies offer not only larger salaries but also provide attractive incentives, such as a culture and environment of fast-paced innovation, opportunities for growth, and training and education programs. Through partnerships, the government can borrow technical talent from private companies to accelerate the adoption of the new zero trust strategy along with training emerging talent.

Fostering the right behavior takes time, developing new skills is a lengthy process, and the need to develop hygiene for cybersecurity has not yet diffused across all the agencies and the workforce. Ultimately, acquiring an inclusive, skilled, vibrant, and diverse workforce will hinge upon organizational restructuring at all levels of management to effectively reform government agencies’ organizational cultures and working environments.

---

Rose Butchart is the Associate Fellow of the Defense-Industrial Initiatives Group.