President's Commentary: A Programmatic Approach to Zero-Trust Nirvana
The White House Office of Management and Budget (OMB) memorandum, M-22-09, issued in January was a call to action for the adoption of zero-trust cybersecurity principles and capabilities to protect our nation’s critical data.
The progress since has been impressive. Across the government, departments and agencies have responded. The Defense Department, for example, has crafted a five-year strategy, defined the capabilities required for implementation and appointed Randy Resnick to lead the Zero Trust Portfolio Management Office. The National Security Agency released guidance for implementing zero trust, and the Cybersecurity and Infrastructure Security Agency has issued guidance for applying zero trust to enterprise mobility as well as a cloud security technical reference architecture.
Additionally, industry rapidly responded with the kind of innovative solutions we’ve come to expect any time our nation faces an urgent need. More than 90 companies have answered the call, and the number of available solutions is rapidly expanding.
But zero trust is nirvana, as Sarbari Gupta, a member of AFCEA’s Zero Trust Strategies Subcommittee, puts it. It is the ultimate goal, the transcendent state.
It also is a cybersecurity paradigm shift, and even with the use of existing capabilities as well as new, shifting paradigms is never easy. Implementing zero-trust principles without disrupting the mission—which is absolutely critical—adds to the challenge.
While progress has been notable, we at AFCEA hear about a number of challenges. Understandably, some organizations feel overwhelmed and are unsure of where and how to begin.
Struggling organizations might consider a Program Management 101 approach. Begin with a high-level strategy, identify which sectors need to be involved, designate leaders across the organization, assign specific responsibilities and empower those leaders to plan and implement the next steps needed within their respective domains. It is vital those leaders be granted the authority and resources required to achieve the end state. It is also essential that these leaders have a collaborative environment to share, vet and learn from one another to avoid missteps in realizing the broader vision.
As the OMB memo points out, the shift to zero trust involves professionals from across an organization, including finance, acquisition, information technology and cybersecurity. Ideally, it would also include human resources for proper training and corporate communications for active messaging. Failing to involve and inform the appropriate professionals leads to, at best, costly schedule delays and, at worst, a security disaster.
Achieving cybersecurity nirvana will be made easier if broken down into smaller, more easily achievable tasks, such as inventorying assets, mapping networks and developing a strategic road map. Following the steps listed in the National Institute of Standards and Technology Special Publication 800-207 is a great start. By taking an incremental, program management approach, agencies and companies can define those smaller tasks, invest the resources, learn the lessons and develop guidance to inform the rest of the journey. In other words, try small, fail quick and learn fast!
Also, keep in mind that data is the lifeblood of the mission. It is the one crown jewel sought by cyber attackers. Data protection is at the very core of zero trust and rightly so.
Any organization falling behind can adopt lessons learned and best practices from others. Borrow shamelessly from the guidance, strategies, implementation plans, ideas and solutions others have already provided. Reach out to those leading the way. And listen attentively to what industry has to offer.
AFCEA’s mantra is “Connecting people, ideas and solutions,” and that is exactly what is needed to implement zero trust. The zero-trust journey is essential to our national security. It should be a collaborative and mutually supportive effort involving the whole of government as well as industry and academia. By communicating and sharing ideas and solutions, we can ensure no organization is left behind on the journey to zero-trust nirvana.