What Is the Federal Zero Trust Strategy?
The Federal Zero Trust Strategy is the set of US governmental guidelines for implementing a Zero Trust Security model. There are multiple guidelines rather than one single set. But all the possible options contain valuable information to help guide a strategy, decide on functionality, and implement the necessary security controls.
One of the central principles of the Federal Zero Trust Strategy is the idea of Security Maturity. This describes the range of capabilities you would expect to find in an organization with an effective approach to cybersecurity. With specific reference to Zero Trust, a Maturity Model provides a roadmap of reference points for an agency to use as it transitions towards mature Zero Trust Security.
Zero Trust Mandate
In May 2021, the US government delivered an Executive Order outlining aggressive implementation deadlines for a federal Zero Trust Architecture strategy. The Executive Order directs agencies to implement Zero Trust by the end of 2023. This is an intense timescale for delivering something as complex as a Zero Trust Architecture. But implementation would also mean that government agencies would have a higher level of security than large organizations in the private sector.
Although the timeframe is short, there is plenty of assistance for developing a strategy—generally and for specific types of government agencies. These can be used to generate a security model that fulfills the Zero Trust remit of eliminating implicit trust and replacing it with continuous validation at every stage of a digital interaction. Consulting the relevant guidelines is the first step to take.
Which Federal Guidelines for Zero Trust to Follow
NIST Guidelines
Department of Defense Guidelines
The Department of Defense (DoD) published its guidelines in February 2021. These go into more detail about how to operate a Zero Trust implementation than the NIST documentation. The guidelines’ seven “Zero Trust Pillars and Capabilities” include security controls to prevent data loss and advice on micro-segmentation of networks into logical zones. A reference architecture with a maturity model describes how to build baseline protection before moving to a Zero Trust Architecture. These guidelines mainly focus on Department of Defense agencies, with the DoD Zero Trust Reference Architecture focusing on defense-specific missions and needs.
In November 2022, the DoD released its Zero Trust Strategy and Roadmap (PDF) with the goal of a fully implemented, Department-wide Zero Trust cybersecurity framework in place by FY27.
CISA Guidelines
Finally, the Cybersecurity and Infrastructure Agency (CISA) introduced its own Zero Trust Maturity Model in June 2021. This is aimed at civilian agencies and defines five pillars:
- Identify
- Device
- Network/environment
- Application workload
- Data
It differs slightly from the DOD guidelines and also suggests three foundational elements:
- Visibility and analytics
- Automation and orchestration
- Governance
It refers to three stages towards Zero Trust as traditional, advanced, and optimal. The last of these three is the expected destination, where identity is continuously validated, user behavior analyzed in real-time with AI/ML to evolve protection, and policies enforced automatically.