The Biden Administration’s recent cyber security Executive Order is a turning point for federal agencies. It gives clear guidance toward ensuring that government data and systems are protected.
The Order arrives at a time when there is a groundswell of interest in Zero Trust. It has been building since February when the National Security Agency issued guidance toward Zero Trust adoption. The Cybersecurity and Infrastructure Security Agency also recently released a maturity model to help agencies track their progress.
Meanwhile, the Department of Defense (DoD) has announced that it will release its strategy for a Zero Trust Architecture (ZTA) later this year. The DoD has also released a strategic document that presents its scope, vision, and goals for ZTA.
It’s clear that now is the time for federal agencies—and even state and local institutions—to act. The zero-day attacks on SolarWinds and Colonial Pipeline, both uncovered by FireEye Mandiant, demonstrate the high price and devastating impact of cyber attacks.
The Mission of the Executive Order
The cyber security Executive Order aims to modernize U.S. government security defenses. It seeks to:
- Remove barriers to threat information sharing between government and the private sector
- Modernize and implement stronger cyber security standards in the federal government
- Improve software supply chain security
- Establish a cyber security safety review board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cyber security incidents on federal government networks
- Improve investigative and remediation capabilities
All of these points can be addressed by establishing a ZTA. According to the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST), a ZTA "treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained."
Three Steps Toward a Well-Designed ZTA
There are multiple steps toward implementing a ZTA—from the implementation of multi-factor authentication all the way to network microsegmentation and automated threat detection.
FireEye Mandiant recognizes that government institutions are at all different stages of maturity with Zero Trust. Also, we understand that implementation can seem overwhelming, especially if an organization—like most in the public sector—are facing IT security skills shortages.
We recommend asking the following questions:
- What security practices and solutions does your organization already have in place? Pause and take stock. There is no need to reinvent the wheel.
- Can you leverage any cyber security solutions that you’ve already implemented to meet the EO requirements? If so, these investments will most likely also fit into your ZTA roadmap.
- Among the private-sector vendors with whom your agency has relationships, do they have the knowledge and government expertise to help you on your ZTA journey? Many providers offer Zero Trust-related solutions; however, they may not be aware of unique compliance and security requirements for government agencies.
Next, dig deeper into ZTA and all its considerations by downloading our white paper, Zero Trust for Federal Government: A Guide to Achieving Improved Cybersecurity.
FireEye Mandiant is at the forefront of the Zero Trust conversation, and we’re ready to help your organization on the journey to better cyber security.