Update on the US Federal Government’s zero trust implementation roadmap for 2024

The term "zero trust" is currently the main buzzword in cybersecurity, but many still find it challenging to define its meaning. Despite the name itself, the concept is not about determining trust or distrust in a person or device, but rather about eliminating trust as the deciding factor for access to a system and securing data based on the assumption of a breach. In the past, those inside a corporate firewall were automatically considered authorized, but zero trust operates under the premise that no user has access to applications, API data, servers, etc. unless they can authenticate their devices and themselves every time they connect. Such continuous authentication is performed using dynamic policies that evaluate multiple contextual factors.

Zero trust was previously talked about mostly in the context of a business enterprise architecture. This changed last year, as the US Government officially committed to zero trust security adoption by 2024.

The White House kickstarted the initiative by releasing a memo in January 2022, requiring federal agencies to “achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024”. In November last year, the Department of Defense (DoD) officially communicated its commitment to the federal mandate by releasing a strategy document that outlines its plan for implementation and adaptive approach for accelerating the shift to a zero trust framework.

Exploiting existing vulnerabilities, such as in the recent case of Apache Log4j, attackers continue to find new ways to penetrate systems and access sensitive data, intensifying the need for a proactive defense approach built on zero trust security principles. The latter will work as an extra layer of protection, preventing third-party access and allowing federal agencies to effectively detect, isolate, and respond to new types of threats. In the context of defending against evolving attack mechanisms and techniques, it “is about ensuring the Federal Government leads by example, ” said Shalanda Young, the acting director of the Office of Management and Budget (OMB).

The DoD’s zero trust strategy document outlines the future cybersecurity investments for the US military and its partners over the next five years, aiming at full implementation throughout the department by 2027. It defines zero trust as a security framework including MFA, micro-segmentation, encryption, endpoint security, analytics, and auditing to strengthen data, applications, assets, and services for cyber resiliency. The framework aims to decrease the attack surface, control risks, and enable secure data-sharing while ensuring the containment and remediation of adversary damage in case of a breach. 

The rise of professional and nation-state cyber attacks currently has both businesses and government agencies on high alert. In the modern remote work environment, private organizations and government institutions need to protect sensitive data and applications regardless of who accesses them or from where. DoD’s prioritization of a zero trust approach over perimeter-based security is viewed as a major step forward for its overall efforts of building resiliency and ensuring 360-degree protection of its crown jewels.

The roadmap doesn’t recommend any specific product, solution, or vendor, leaving it up to the agencies and military services to make those decisions. The DoD has also provided an execution roadmap to ensure clear, concrete steps for implementation, and is most likely to test its new approach with major US cloud providers.

Here are the four guiding principles that provide guardrails for DoD when making decisions regarding strategy implementation and zero trust execution:

Mission-Oriented

• Follow the principle of least privilege with regard to remote users.

Organizational

• Presume breach and limit the "blast radius" by segmenting access, reducing the attack surface, and monitoring risks.
• Incorporate DOTmLPF-P (doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy) into the design, development, deployment, and operations of zero trust capabilities.

Governance

• Establish appropriate governance controls to simplify and automate the existing fragmented approaches to data management, IT modernization, and cybersecurity policies and solutions.
• Never trust, always verify explicitly by treating every user, device, and application as untrusted and unauthenticated.

Technical

• Follow the principle of least privilege.
• Scrutinize and analyze the behavior of all users and devices in real time.
• Ensure architectural alignment with the DoD Zero Trust Reference Architecture (ZT RA) design tenets.

In some ways, the US Government is similar to a business enterprise: Its employees are working to achieve a common goal, communicating, exchanging data and documents, deploying software, operating hardware, and more. But when it comes to the value of data that circulates within the government and the cost of a potential mistake that could lead to a breach – it is a lot more delicate and sophisticated than a private organization.

This is the reason why the zero trust security initiative was promoted on a federal level, facilitating the move of all key applications to the cloud environment built on zero trust security principles. We will continue to closely monitor the implementation of the roadmap, which will no doubt prove highly valuable and help revolutionize security in both the public and private sectors.