Federal Agencies’ Zero-Trust Journey Is Underway. Now What?

December 7, 2022

Federal Agencies Zero-Trust Journey is underway at the EPA. But it’s not all plain sailing. Agencies must adopt new technologies and adapt their operating and administration models to make zero-trust deployments a reality. It takes time and cultural change to make the transition.

EPA’s zero-trust journey

EPA’s zero-trust journey is underway, as it implements new security measures to improve data handling and cybersecurity. The agency has set specific goals for its zero-trust journey, including enabling its employees to work from anywhere in the world, creating a secure computing environment, and having fewer cybersecurity incidents than in the past. Given the recent spate of cyber-related attacks, EPA focused on minimizing vulnerabilities and strengthening security across its organization.

As the federal government continues to expand past traditional network perimeters, zero-trust architectures are becoming increasingly important. The EPA has already implemented some of these measures, beginning with identifying network users. This step is part of an overall zero-trust security strategy, which includes identity management solutions.

Zero-trust technology is a strategy, not a product. It requires a combination of technology and a cultural and attitude change. The panel discusses some truths about zero-trust technology, culture, and people. Zero-trust software designed to protect data and infrastructure assets while allowing minimal access. It includes endpoint analysis and multi-factor authentication.

In May, President Joe Biden issued an executive order calling for the adoption of zero-trust architecture. Federal agencies given until 2024 to meet the goals of zero-trust architecture in the areas of identity, devices, networks, applications, and data. As the zero-trust movement continues to gain momentum, the federal government is taking the lead.

Data handling has become an EPA priority. The Manning office will work with the agency to normalize data and encrypt it, while working with the Federal Data Strategy.

EPA’s SOAR

The zero-trust journey starts with identifying network users and establishing an appropriate security posture. The EPA is moving forward with virtual smart cards and multi-factor authentication. It also plans to use remote sensors to prevent cyber-attacks. But there’s more to zero-trust than reducing cybersecurity incidents.

Federal agencies are also moving faster to implement zero-trust security programs. The Biden administration’s Executive Order outlines the requirements for Zero-Trust Architecture. These include comprehensive security monitoring, granular risk-based access controls, and system security automation to protect data in real-time. The zero-trust maturity model developed by the Department of Homeland Security has detailed requirements for SOAR.

EPA’s Sunburst breach

The Sunburst breach is part of the Federal Agencies Zero-Trust Journey to protect data and applications from cyberattacks. The agency has adopted multi-factor authentication (MFA) and virtual smart cards to protect its systems, and it has been adding remote sensors for improved security. But the recent attack has changed the agency’s work environment and led to several cybersecurity incidents. Despite the new challenges, the EPA has been working to improve its zero-trust posture.

Sunburst also highlights the importance of threat models used by major cloud service providers. NCDs should drive regular convenings to review threat models and advocate for technical reforms. The agencies should also identify supportive policies and prioritize implementation of those reforms.

The EPA’s Sunburst breach highlights key challenges and shortcomings of federal agencies’ cybersecurity. It highlights three failure points, namely ineffective operational collaboration, reliance on hard-to-defend technologies, and inadequate risk prioritization. The report also identifies shortcomings in rapid response and mitigation of vulnerabilities.

Zero-trust implementation requires cultural change. It also requires agencies to implement new technologies and establish a governance model for the implementation and administration of the new system. This requires a change in IT management, and the government must make changes in existing IT infrastructure to become more resilient to cyber threats.

Sunburst is a significant breach for cloud computing security. Microsoft identity software products used by dozens of organizations were vulnerable to the attack. As a result, the adversary used these products to move silently across the victim networks. The attackers were able to hop from Office 365 environments to on-premise networks. While the Sunburst breach is different from other software supply-chain attacks, it still raises questions about cloud computing security.

NIST’s risk management framework

The National Institute of Standards and Technology (NIST) is currently gathering information on how best to improve cybersecurity resources and practices. Its recently released National Initiative for Improving Cybersecurity in Supply Chains (NIICS) addresses the cybersecurity aspects of supply chain risk management. The framework builds on existing work in this area. In particular, the NIICS seeks to increase the level of assurance and trust in technology products.

While zero trust aims to minimize data loss and destruction, it is a significant challenge for many organizations, primarily because of the widespread use of applications. Because of this, NIST has issued guidance that will help organizations implement a zero-trust architecture. But, the implementation of the framework requires long-term compliance and successful implementation of the tenants.

The NIST Risk Management Framework is a seven-step process for managing the security and privacy risks of an organization’s information and cyber supply chain. It’s a repeatable, flexible, and extensible framework designed to make organizations more resilient to security threats.

The framework emphasizes the importance of defining assets and identifying their vulnerabilities. Developing a detailed inventory will help organizations identify gaps and avoid unnecessary expenditures. A thorough inventory will also help organizations identify potential system redundancies. This phase can be challenging depending on the size and scope of an organization, but the benefits are numerous.

While federal Agencies Zero-Trust Journey is underway, implementing zero-trust security requires continuous verification of digital interactions. Zero-trust is a multi-layered approach involving multiple technologies and policies. It requires advances in tools and deployment methods. State and local governments have begun taking the next step in moving to a zero-trust environment. To guide the process, some organizations and analyst firms have created roadmaps.

Peraton’s technical approach to zero trust

In a recent interview with ExecutiveBiz, Peraton’s vice president of global health business, Zaki Saleh, outlined some of the company’s recent wins and challenges with zero trust and how the company is tackling these challenges. He also touched on the role of AI, 5G and data modernization in the federal health sector.

Peraton has a comprehensive zero trust solution that supports federal agencies through both defensive and offensive approaches. Peraton’s zero trust platform combines multiple security components, including an extended endpoint detection and response system, micro-perimeters to monitor internal network traffic, and advanced data analytics. Additionally, Peraton has incorporated blockchain technology and integration expertise.

The OMB’s latest guidance on zero trust for federal agencies sets a tight timeline for agencies to meet the new objectives. Agencies have until February 26 to designate the lead responsible for implementing zero trust strategy and incorporate zero trust requirements into their plans. Agencies must meet their zero trust goals by Federal Fiscal Year 2024.

Peraton’s Zero Trust Maturity Model identifies five key pillars of zero trust maturity. The first is the technical approach, while the other four are focused on policy and implementation. Peraton’s Zero Trust Maturality Model offers guidance on how to develop zero trust strategies and implementation plans.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


A Guide to Cybersecurity in a Virtual Office

A Guide to Cybersecurity in a Virtual Office

Explore the comprehensive guide to cybersecurity in a virtual office, covering essential strategies, best practices, and tools to safeguard your digital assets. Learn how to protect sensitive data, mitigate risks, and ensure the utmost security in today's remote work...

GnuTLS Follows OpenSS

GnuTLS Follows OpenSS

GnuTLS library adheres to the OpenSS (Open Source Security Suite) standard, a significant departure from the former GNU policy. Emacs becomes more secure by adhering to a more robust standard for cryptographic libraries. It also helps avoid confusion when working with...

Zero-day vulnerability in Fortinet FortiOS

Zero-day vulnerability in Fortinet FortiOS

Recently, cybercriminals and nation-states have been exploiting a zero-day vulnerability in Fortinet FortiOS' operating system to launch targeted cyberattacks against government entities. The flaw, CVE-2022-40684, allows attackers to bypass authentication by sending...

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us