About Zero Trust
As defined by NIST (SP 800-207), “Zero Trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated… The initial focus should be on restricting resources to those with a need to access and grant only the minimum privileges (e.g., read, write, delete) needed to perform the mission.” In short, Zero Trust is built around the concept of “never trust… always verify,” and then verify, verify, verify, and verify again
Why Zero Trust Is Important for Every Organization
Today, most enterprise infrastructures are very complex, with multiple internal networks intertwined with cloud assets and services, along with remote workers, etc. Over the past decade or more, there has been a growing shift away from the old “moat and castle” approach to cybersecurity, as security teams have found legacy methods of perimeter-based security are less effective against increasingly sophisticated cyber-attacks. Organizations can no longer guard and protect their network perimeter alone and expect their networks to remain secure. To be prepared, these organizations and security professionals need to assume that their networks and systems are already compromised, and then focus on identifying and mitigating lateral, unhindered movement within their networks. Zero Trust was developed to address this very challenge, and the recent Executive Order is expected to accelerate its adoption, specifically requiring all U.S. Federal Agencies to meet various Zero Trust milestones over the next 60, 90, and 180 days.
60 Days for Agencies to Develop a Zero Trust Plan; CISA to Issue A Cloud Governance Framework
DUE JULY 11, 2021 – Agencies have 60 days from the date of the Executive Order to develop a plan to implement Zero Trust Architecture, including migrations steps and schedules, prioritized based on the highest security impacts. Existing agency plans must be updated to prioritize adoption and use of cloud technology. Agency plans must be reported to the Director of OMB and the Assistant to the President and National Security Advisor (APNSA). CISA must also develop a cloud-service governance framework that identifies a range of services and protections available to agencies.
90 Days for Cloud Strategy and Technical Reference Architecture Documentation
DUE SEPTEMBER 24, 2021 – Agencies “migration to cloud technology shall adopt Zero Trust Architecture, as practicable.” E.O. Sect. 3(c). OMB, CISA, and GSA/FedRAMP have 90 days from the date of the Executive Order to develop a Federal cloud-security strategy and provide guidance to agencies accordingly. This guidance shall seek to ensure that risks to the [Federal Civilian Executive Branch (FCEB)] from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.” EO Sect. 3(c)(i). In addition, OMB, CISA, and GSA/FedRamp must “develop and issue for the FCEB, cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.” E.O. Sect. 3(c)(ii).
180 Days for Agencies to Adopt Multi-factor Authentication and Encryption
DUE NOVEMBER 8, 2021 – Agencies “shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.” To support this goal the EO states, “(i) Heads of FCEB Agencies shall provide reports to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multifactor authentication and encryption of data at rest and in transit. Such agencies shall provide such reports every 60 days after the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption. (ii) Based on identified gaps in agency implementation, CISA shall take all appropriate steps to maximize adoption by FCEB Agencies of technologies and processes to implement multifactor authentication and encryption for data at rest and in transit. (iii) Heads of FCEB Agencies that are unable to fully adopt multi-factor authentication and data encryption within 180 days of the date of this order shall, at the end of the 180-day period, provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.”
Where to Begin
Learn how S2 addresses the requirements outlined in the Executive Order:
Learn More About How We May Help Your Organization
Contact us today to create a partner on your zero trust initiatives.