Nearly eighteen months after President Biden issued his sweeping Executive Order on Improving the Nation’s Cybersecurity (cyber EO), federal agencies adopting zero trust architectures (ZTA) still face significant challenges. Agencies are not a monolith, they are individual organizations that need to comply with the cyber EO while addressing their unique security risks and communicating with one another. Based on its mission, every agency starts at a different place and may stop at a different point along its journey to a fully mature, real-time zero trust model.
ZTA is a cybersecurity approach rooted in the idea that users and devices need to be constantly verified when accessing networks or IT systems. Agencies must build holistic zero trust architectures that respond to threats and risks across people, processes, and technologies. Simultaneously, they need to contend with their operational realities, including fixed budgets and limited availability of skilled staff.
As agencies mature in their implementation, they need tightly integrated solutions that enable them to address security concerns across the various zero trust pillars.
Moving Beyond the Jargon: Next Steps for Zero Trust and Compliance
To implement zero trust and comply with the cyber EO, agencies need to understand how a vendor’s capabilities support a zero trust strategy. This means moving beyond the marketing buzzwords and terminology so that they can take the appropriate next steps.
Creating an Identity and Access Strategy
A robust identity strategy or architecture should be the starting point for implementation. Consider it a fundamental pillar of zero trust.
From a processes and technology standpoint, agencies need to establish and enforce robust controls that include:
- Limiting user access to resources as precisely as possible
- Setting role-based access controls
- Incorporating attribute-based access controls
- Using multi-factor authentication (MFA)
Converging Networking and Security
Most agencies have hybrid environments that incorporate on-premises and cloud-native resources. To implement ZTA, agencies need ubiquitous solutions that can combine security and networking without reducing workforce productivity.
Zero Trust Network Access (ZTNA) solutions build security directly into their networking capabilities. While ZTA ensures that all users and devices appropriately authenticate to the networks, ZTNA applies these controls at the application level. By placing applications behind a proxy point, ZTNA creates a secure, encrypted tunnel for connectivity without compromising network performance.
Addressing the People Side
At the people level, agencies must educate their workforce of public servants about zero trust. Sometimes, agency workforce members feel that “zero trust” comes with an Orwellian overtone. Many were hired into positions of trust, especially those with security clearances, leading them to consciously or unconsciously push back against these access controls.
Explaining zero trust in language that workforce members understand enables an agency to establish a culture of security. People know that they must have bags screened in the lobby or use badges for the elevator, and zero trust is the digital equivalent.
Further, an integrated ZTA strategy addresses skills gaps. Solutions enable staff by augmenting their current capabilities. For example, an integrated Internet of Things (IoT) endpoint and device protection solution enables visibility into, control over, and advanced protection of networks while reducing manual processes that overwhelm IT teams.
Taking it a Step Further: The Future of Zero Trust Security for Federal Agencies
Tightly integrated solutions that work together cohesively enable Federal agencies to implement holistic ZTA strategies.
Find Partners with Experience
Federal systems and networks face unique threats. With a sophisticated threat landscape, expanding attack surface, increased regulatory oversight, and growing cybersecurity skills gap, agencies need partners who understand specific areas that impact them, such as:
- Attacks from nation-state actors
- Protecting mission and agency data
- Ensuring security in a work from home environment
- Maintaining and upskilling a cybersecurity skilled labor force
- Secure cloud migration
- Supply chain security
Secure Access Service Edge (SASE)
To converge security and networking as part of a zero trust strategy, Federal agencies can leverage SASE solutions that integrate cloud-delivered SD-WAN connectivity with security service edge (SSE).
They should adopt solutions that incorporate these key capabilities:
- Secure web gateway (SWG)
- Universal zero trust network access (ZTNA)
- Next-generation dual mode cloud access security broker (CASB)
- Firewall-as-a-Service (FWaaS)
Segment Networks
Federal agencies house data across varying degrees of sensitivity that require diverse levels of access. Segmenting these networks is fundamental to ZTA but also creates challenges around visibility and centralized control. Using intelligent intent-based segmentation enables agencies to adopt the dynamic and granular access controls that enable a robust zero trust strategy at the network layer.
Leverage Real-Time Threat Intelligence
Threat actors, specifically nation-state adversaries, use increasingly sophisticated technology to deploy attacks. Combined with their ability to exploit zero-day vulnerabilities, automation, artificial intelligence (AI), and machine learning (ML) tools enable them to create attacks that traditional security solutions often fail to detect, and once detected are not easy to triage and mitigate. Federal agencies need security solutions that integrate AI and ML capabilities into their tools. With a coordinated and layered approach, agencies can utilize these solutions to discover zero-day attacks in real time and minimize false positives that overwhelm cybersecurity staff and reduce their productivity.
Use Advanced Endpoint Security Tools
To meet ZTA’s device pillar, agencies need an endpoint security tool with capabilities that protect all endpoints, including laptops and mobile devices. They need solutions that provide information, visibility, and control to these devices while enabling secure, remote connectivity.
An advanced endpoint security tool offers:
- Device status reports that include applications running and firmware versions
- Secure connectivity either over VPN or preferably ZTNA tunnels
- Automatically isolate suspicious files
- Enforce application control, connected-media control, URL filtering, and firmware upgrade policies
- Apply CASB controls when users access cloud-based applications
- Provide malware protection and application firewall service
Fortinet Federal: Expertise and Technologies Focused on Zero Trust and US Government Agencies
Fortinet Federal enables civilian and national security organizations with an experienced professional team that works with agencies to secure federal networks, users, and data. As a wholly owned subsidiary dedicated to US Government agencies, Fortinet Federal is committed to helping agencies meet public sector priorities, standards, and evolving cybersecurity mandates like they cyber EO.
Based in the US, we provide a flexible security platform with an end-to-end, integrated architecture across multiple domains, classified systems, and cloud-based resources without compromising network performance or workforce productivity. With our scalable government IT solution, agencies can simplify their security core architecture to a single platform that enhances visibility and enables them to adapt to future needs without taking a “rip and replace” approach.
Delivering a holistic, industry validated solution, Fortinet Federal streamlines cyber EO compliance and security transformation for United States Government Agencies.
Learn more about how Fortinet Federal, Trusted Cybersecurity for Government, helps agencies protect U.S. government data and critical infrastructure against advanced nation-state threats.