Biden Aims to Drive Zero-Trust Architecture Nationwide

The Biden administration has begun defining a zero-trust architecture for the U.S. government’s cybersecurity systems and day-to-day operations. Its ambitions for zero trust as a cyber defense reach beyond this already bold goal, deep into the private sector.

By its nature, a public procurement initiative of this scope influences the marketplace, as federal contractors adjust to new requirements and bring their supply chains in line, as well. But the Biden administration is looking to exert additional influence on the uptake of zero-trust architectures nationwide with measures ranging from public-private software development processes to a software labeling program, like the “energy star” label on appliances, to verify the security of software.

To that end, the administration issued an executive order in May[1] and a draft architecture in September,[2] as critical infrastructure in both the U.S. public and private sector was relentlessly targeted by ransomware attacks. “For too long, we have kicked the can down the road,” the order said. “We need to use the purchasing power of the federal government to drive the market to build security into all software from the ground up.”

The zero-trust strategy is one of several initiatives included in what the administration calls its “whole of government” response to ransomware and other types of cybercrime. Other initiatives include supporting ransomware reporting legislation[kl1]  and conducting international diplomacy to fight global criminal networks and state-sponsored cyberattacks.

Early Days for Zero Trust

Osterman Research recently reported that many private- and public-sector organizations are still in the early stage of deploying zero trust: “They are just starting, or they are yet to start.” Nearly two out of three organizations (65%) expect to achieve full deployment of a zero-trust architecture within two years, the research group said.[3]

Zero trust involves several organizational and technological changes. Key aspects include:

• Approach: No individual or device is to be trusted without continual verification, whether inside or outside an organization. This approach replaces the practice of building a perimeter around an organization to protect data and operations from cyberattacks.
• Technologies: Zero-trust architectures are built on key technologies, such as identity and access management, application access management, data classification and data flow management. The architecture is just one facet of an organization’s cybersecurity defenses, complementing or integrating with software vulnerability management, detection and response systems, and other protections.
• Barriers: Barriers to implementation include limitations on deploying zero trust on legacy systems, Osterman said. What’s more, zero-trust architectures must be designed and implemented without impacting productivity. They require significant organizational change to surmount resistance from employees and other stakeholders faced with validating their identities and access rights more frequently under various circumstances. There could be dozens or more of these so-called “micro-segmentation policies.”

Ultimately, Osterman’s survey showed that zero trust is expected to double the average efficacy of defenses against a range of cyber threats.

Federal Zero-Trust Strategy

The zero-trust architecture released by the administration for comment in September is intended to set baseline policy and technical requirements while focusing on key security outcomes. Implementation is described as a multiyear journey. More specifically, it includes:

• Consolidating agency identity systems.
• Combating phishing through strong multifactor authentication.
• Treating internal networks as untrusted.
• Encrypting traffic.
• Moving protections closer to data by strengthening application security.

In tandem, the White House statement lays out “a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of federal procurement to incentivize the market.” A pilot program would be launched for the labeling program mentioned above, aimed not only at government but also the public at large.

Businesses Response Is Tentative

The zero-trust architecture and its companion initiatives in Biden’s “whole of government” cybersecurity directive “will have a broad impact on the private sector,” according to an analysis by the Wiley law firm. “It seeks to mandate raising the bar through a series of steps that will aggressively alter the cyber landscape for both the public and private sector.”[4] 

Companies have responded tentatively. For instance, the Information Technology Industry Council (ITI), a trade association, expressed overall support but raised several concerns. “In its current form, the document appears to perpetuate the concept of security silos,” ITI said. “Greater clarity around a comprehensive approach to zero trust will help agencies refine their approach across people/devices (workforce), applications/data (workload) and assets (workplace).” 

The group also suggested that the plan be more prioritized and that its approaches to cyber risk be more proactive.^[5]

For its part, Cisco wrote: “This effort must be visibly supported by non-technical agency leadership.”[6] The company explained the need for greater emphasis on this point, saying that “implementation of zero-trust principles will result in changes to the way the entire agency works and will change risk tolerance for all agency employees.”

BSA | The Software Alliance expressed a wait-and-see attitude. “I would say industry likes clarity … but industry also likes quality so if what comes out of it is overly broad and creates more signal than noise there's a little tension there,” said BSA Policy Director Henry Young.[7]

The Bottom Line

As the Biden administration rolls out a zero-trust architecture, it is also looking to drive this emerging approach to cybersecurity throughout the country, in both the public and private sector. These are still early days, but research shows high hopes among security executives in zero trust’s potential to improve security.

[1] “President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks,” White House

[2] “Office of Management and Budget Releases Draft Federal Strategy For Moving the U.S. Government Towards a Zero-Trust Architecture,” White House

[3] “Why Zero Trust Is Important,” Osterman Research

[4] “Biden’s Cyber EO Aims to Improve Federal Security and Move Private Sector,” Wiley

[5] “Re: Call for Public Comments on the Federal Zero-Trust Strategy,” Information Technology Industry Council

[6] “Zero Trust and the Federal Government: Feedback for Progress,” Cisco

[7] “Industry Groups Express Cautious Optimism About Biden’s Executive Order on Software Standards,” BSA | The Software Alliance

 [kl1]Link to MB Ransomware Reporting Mandates (not yet posted)