Last Updated on September 13, 2021
President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity” includes a major section (Section 3) on “Modernizing Federal Government Cybersecurity.” This section includes a number of explicit directives that will impact all US federal agencies—and a big part of this new guidance concerns Zero Trust Architecture.
What is Zero Trust? And what could these new mandates mean for federal agencies and the private sector companies that do business with them?
To shake out key insights about the Executive Order, a recent episode of The Virtual CISO Podcast features Scott Sarris, EVP of Digital Transformation and Cybersecurity Advisory Services at Aprio. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
What is Zero Trust?
Scott explains the order’s guidance on Zero Trust: “I believe this represents an acknowledgement that traditional, perimeter-based security has been dead for a while. Probably accelerated a little bit with the whole COVID thing, right? The perimeter defense model is a big, tall wall around my organization with firewalls and then layers of security on the inside of the organization.”
Of course, thanks to trends like cloud computing, SaaS and remote working, more and more of our data as well as our users reside outside the organizational perimeter.
“You can only protect those things that are behind that barrier of Zero Trust,” Scott explains. “Driving that as a strategy makes great sense, because that kind of zoned model approach has essentially been illustrated to be quite a weakness. … Just because I’m on the inside of an organization, doesn’t mean I should be trusted to gain access to a particular resource. Many of those concepts are laid out in [the order].”
Zero Trust timeline for federal agencies
“Some of the technology expectations [in the order] seemed a little bit of a push from a policy perspective,” adds Scott. “Maybe that’s an acknowledgement that they needed to give a little more guidance and direction to the federal government agencies to get off the dime and move forward into some of these areas.”
John agrees: “I was a little bit surprised by the explicit nature of some of the guidance. … I thought the Zero Trust [guidance] was really fascinating because of what we’ve seen from NSA, what we’ve seen from DHS, what we’ve seen from NIST and what we’ve seen from even private sector companies like Microsoft.”
Zero Trust excerpts
Here are some key excerpts from the Section 3 of the Executive Order pertaining to Zero Trust:
Sec. 3. Modernizing Federal Government Cybersecurity.
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must … advance toward Zero Trust Architecture; … and invest in both technology and personnel to match these modernization goals.
(b) Within 60 days of the date of this order, the head of each agency shall:
(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance [this refers to NIST 800-207, “Zero Trust Architecture, published August 2020], describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and
(c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture.
If you want to get your organization out in front of the coming Zero Trust tsunami and other changes from the Cybersecurity Executive Order, you’ll appreciate the expert views and advice in this podcast episode with Scott Sarris.
Looking for some related content about the Cybersecurity Executive Order? Check out this post: The Cyber Executive Order: Will It Bring New Regulations for Critical Infrastructure? – Pivot Point Security
Listen to the podcast episode all the way through: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know – Pivot Point Security