The Biden administration has begun defining a zero-trust architecture for cybersecurity systems and day-to-day operations of the US government. Its ambitions for zero trust as cyber defense go beyond this already audacious goal, deep into the private sector.
By its very nature, a public procurement initiative of this magnitude influences the marketplace as federal contractors adapt to new requirements and also adapt their supply chains. But the Biden administration is seeking to exert additional influence on the adoption of zero-trust architectures nationwide with measures ranging from public-private software development processes to a software labeling program, such as the ” energy star” on devices, to verify Software security.
To this end, the administration issued an executive order in May and an architecture project in September, as US public and private sector critical infrastructure was relentlessly targeted by ransomware attacks. “For too long we have been kicking the box,” the order said. “We need to use the federal government’s buying power to incentivize the market to build security into all software from scratch.”
The Zero Trust Strategy is one of several initiatives included in what the administration calls its “whole-of-government” response to ransomware and other types of cybercrime. Other initiatives include supporting ransomware reporting legislation[kl1] and conducting international diplomacy to combat global criminal networks and state-sponsored cyberattacks.
The early days of zero trust
Osterman Research recently reported that many private and public sector organizations are still in the early stages of deploying zero trust: “They’re just getting started, or they haven’t started yet.” Nearly two in three organizations (65%) expect to achieve full deployment of a zero-trust architecture within two years, the research group said.
Zero trust involves several organizational and technological changes. Key aspects include:
- Approach: No individual or device should be trusted without continuous verification, whether inside or outside an organization. This approach replaces the practice of building a perimeter around an organization to protect data and operations from cyberattacks.
- Technologies: Zero-Trust architectures are based on key technologies, such as identity and access management, application access management, data classification and data flow management. Architecture is just one facet of an organization’s cybersecurity defenses, complementing or integrating with software vulnerability management, detection and response systems, and other protections.
- Barriers: Barriers to implementation include limitations in deploying zero trust on legacy systems, Osterman said. Additionally, Zero Trust architectures must be designed and implemented without impacting productivity. They require significant organizational change to overcome resistance from employees and other stakeholders facing more frequent validation of their identities and access rights in various circumstances. There could be dozens or more of these so-called “micro-segmentation policies”.
Ultimately, Osterman’s survey showed that zero trust is expected to double the average effectiveness of defenses against a range of cyber threats.
Federal Zero Trust Strategy
The Zero Trust Architecture released by the administration for comment in September aims to define baseline policy and technical requirements while focusing on key security outcomes. Implementation is described as a multi-year journey. More specifically, it includes:
Consolidation of agency identity systems.
Fight against phishing thanks to strong multi-factor authentication.
Treat internal networks as untrusted.
Bring data protections closer together by strengthening application security.
At the same time, the White House statement lays out “a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of federal government procurement to incentivize the market.” A pilot program would be launched for the labeling program mentioned above, aimed not only at the government but also at the general public.
Business response is tentative
According to an analysis by law firm Wiley, the zero-trust architecture and its complementary initiatives in Biden’s “whole-of-government” cybersecurity directive “will have a broad impact on the private sector.” “It seeks to impose a raising bar through a series of steps that will aggressively alter the cyber landscape for the public and private sectors.”
The companies responded tentatively. For example, the Information Technology Industry Council (ITI), a trade association, expressed general support but raised several concerns. “In its current form, the document appears to perpetuate the concept of security silos,” ITI said. “Greater clarity around a holistic approach to zero trust will help agencies refine their approach to people/devices (workforce), apps/data (workload), and assets (workplace).”
The group also suggested that the plan be more prioritized and that its approaches to cyber risk be more proactive.
For his part, Cisco wrote, “This effort must be visibly supported by non-technical agency leadership.” The company explained the need for more emphasis on this, saying that “implementing the Zero Trust Principles will lead to changes in how the entire agency operates and alter everyone’s risk tolerance.” agency employees.
BSA | The Software Alliance expressed a wait-and-see attitude. “I would say the industry loves clarity…but the industry also loves quality, so if what comes out of it is too broad and creates more signal than noise, there’s a little tension there” , said Henry Young, director of policy at the BSA.
As the Biden administration deploys a zero-trust architecture, it also seeks to pilot this emerging approach to cybersecurity across the country, in both the public and private sectors. It’s still early days, but the research shows high hopes among security leaders in Zero Trust’s potential to improve security.
 “President Signs Executive Order Establishing New Path to Improve Nation’s Cybersecurity and Protect Federal Government Networks,” White House
 “Office of Management and Budget Releases Draft Federal Strategy to Move U.S. Government Toward Zero Trust Architecture,” White House
 “Why Zero Trust Matters”, Osterman Research
 “Biden’s Cyber EO Aims to Improve Federal Security and Displace the Private Sector,” Wiley
 “Re: Call for Public Comments on the Federal Zero Trust Strategy,” Information Technology Industry Council
 “Zero Trust and the Federal Government: Feedback for Progress”, Cisco
 “Industry Groups Express Cautious Optimism About Biden’s Executive Order on Software Standards”, BSA | The Software Alliance
[kl1]Link to MB Ransomware Reporting Mandates (not yet released)