Federal Guidelines for Zero Trust

What Is the Federal Zero Trust Strategy?

The Federal Zero Trust Strategy is the set of US governmental guidelines for implementing a Zero Trust Security model. There are multiple guidelines rather than one single set. But all the possible options contain valuable information to help guide a strategy, decide on functionality, and implement the necessary security controls.

One of the central principles of the Federal Zero Trust Strategy is the idea of Security Maturity. This describes the range of capabilities you would expect to find in an organization with an effective approach to cybersecurity. With specific reference to Zero Trust, a Maturity Model provides a roadmap of reference points for an agency to use as it transitions towards mature Zero Trust Security.

Zero Trust Mandate

In May 2021, the US government delivered an Executive Order outlining aggressive implementation deadlines for a federal Zero Trust Architecture strategy. The Executive Order directs agencies to implement Zero Trust by the end of 2023. This is an intense timescale for delivering something as complex as a Zero Trust Architecture. But implementation would also mean that government agencies would have a higher level of security than large organizations in the private sector.

Although the timeframe is short, there is plenty of assistance for developing a strategy—generally and for specific types of government agencies. These can be used to generate a security model that fulfills the Zero Trust remit of eliminating implicit trust and replacing it with continuous validation at every stage of a digital interaction. Consulting the relevant guidelines is the first step to take.

Which Federal Guidelines for Zero Trust to Follow

Although there is no single set of Federal Guidelines for Zero Trust, three primary guides should be consulted to implement a sufficiently stringent Zero Trust Architecture.

NIST Guidelines

The NIST's guidelines were introduced in NIST Special Publication 800-207 and provide the most comprehensive outline of a Zero Trust Architecture. This includes explaining how data, applications, systems, and networks interact in a Zero Trust environment and how agencies can reduce implicit trust zones while enforcing policies with decision points.

Department of Defense Guidelines

The Department of Defense (DoD) published its guidelines in February 2021. These go into more detail about how to operate a Zero Trust implementation than the NIST documentation. The guidelines’ seven “Zero Trust Pillars and Capabilities” include security controls to prevent data loss and advice on micro-segmentation of networks into logical zones. A reference architecture with a maturity model describes how to build baseline protection before moving to a Zero Trust Architecture. These guidelines mainly focus on Department of Defense agencies, with the DoD Zero Trust Reference Architecture focusing on defense-specific missions and needs.

In November 2022, the DoD released its Zero Trust Strategy and Roadmap (PDF) with the goal of a fully implemented, Department-wide Zero Trust cybersecurity framework in place by FY27.

CISA Guidelines

Finally, the Cybersecurity and Infrastructure Agency (CISA) introduced its own Zero Trust Maturity Model in June 2021. This is aimed at civilian agencies and defines five pillars: 

  1. Identify
  2. Device
  3. Network/environment
  4. Application workload 
  5. Data

It differs slightly from the DOD guidelines and also suggests three foundational elements:

  1. Visibility and analytics
  2. Automation and orchestration
  3. Governance

It refers to three stages towards Zero Trust as traditional, advanced, and optimal. The last of these three is the expected destination, where identity is continuously validated, user behavior analyzed in real-time with AI/ML to evolve protection, and policies enforced automatically.

Although defense and civilian agencies will gravitate towards one of the last two sets of guidelines according to remit, alongside the baseline NIST guidelines, it’s worth consulting all three to ensure that the best security practice is implemented.
Every security team wants Zero Trust Architecture—nobody gets or keeps access to anything until they prove and continue to prove who they are, that access is authorized, and they are not acting maliciously. That’s why organizations choose BlackBerry ZTA powered by Cylance AI to protect their people, data, and networks.