Choosing Which Federal Guidelines to Follow for Zero Trust

Federal agencies are feeling increased pressure to adopt appropriate federal Zero Trust guidelines and accelerate their adoption of a Zero Trust architecture, following the recent release of a U.S. Office of Management and Budget (OMB) memo. The OMB memo is a continuation of the May 2021 Executive Order on Improving the Nation’s Cybersecurity, which outlines aggressive implementation deadlines for a federal Zero Trust architecture strategy over the next two-and-a-half years.

What’s outlined in the OMB memo is a big ask on an intense timeline. As one Forrester analyst noted, if the government Zero Trust strategy is “executed as mandated, not only will government agencies meet the security maturity levels of large organizations in the private sector… they’ll also surpass them.”

While the transition to a Zero Trust cybersecurity approach offers a great deal of upside for federal agencies, many organizations are still trying to find direction in their journey. One question we’re hearing often from the agencies we work with is, “Which federal guidelines for Zero Trust should we follow?” The good news is that each of the guidelines explored below can provide you with valuable information on guidance, functionality, security controls and operations for Zero Trust.

Zero Trust is a strategic approach to cybersecurity that secures an organization by simplifying security to a single use case: the elimination of implicit trust and the continuous validation of every stage of a digital interaction. Choosing Zero Trust guidelines or frameworks and accessing expertise from trusted resources are critical steps to implementing an effective strategy. To help agencies with their decision-making, here’s a quick overview of three of the most commonly cited Zero Trust frameworks.

NIST Special Publication 800-207: Zero Trust Architecture

The primary focus of the National Institute of Standards and Technology (NIST) guidelines, which were introduced in August 2020, is to help federal agencies reduce implicit trust zones and understand policy enforcement points and policy decision points. The guidelines cover the basics of Zero Trust and are meant to help federal agencies understand (at a macro level) how data, applications, systems and networks interact. 

NIST recommends agencies design and deploy a Zero Trust architecture with adherence to seven basic tenets, from considering all data sources and computing services as resources, to collecting as much information as possible about the current state of assets, network infrastructure and communications and using that information to improve the organization’s security posture.

DOD Zero Trust Reference Architecture

Released in February 2021, the Department of Defense (DOD) guidelines offer a more operational and micro-level approach to Zero Trust than the guidance from NIST. The DOD Zero Trust Reference Architecture includes seven “Zero Trust Pillars and Capabilities” and addresses specific functions and security controls, such as data loss prevention (DLP), data tagging and microsegmentation (practice of creating logical network zones to isolate network segments). This reference architecture includes a maturity model that describes the importance of establishing a baseline protection level prior to designing a Zero Trust architecture.

Per the directive, DOD agencies, including military departments and the Defense Information Systems Agency (DISA), should align to the DOD Zero Trust Reference Architecture as it was crafted with a defense-specific mission and requirements in mind. We also anticipate that many DOD agencies may decide to adopt some type of maturity model as well as measure their progress along their Zero Trust security evolution.

CISA Zero Trust Maturity Model

Finally, there is the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model, which was introduced in June 2021 as a resource primarily for civilian agencies. The CISA Zero Trust Maturity Model includes five pillars (identify, device, network/environment, application workload and data) and three cross-cutting foundational elements: visibility and analytics, automation and orchestration and governance. This model outlines a good-better-best approach to Zero Trust, which CISA refers to as “traditional, advanced and optimal.”

The “optimal” stage of Zero Trust security is the ultimate goal, of course. At this point in the Zero Trust journey, according to CISA, a federal agency would be accomplishing many things:

  • Continuously validating identity, not just when access is initially granted.
  • Analyzing user behavior in real time with machine learning algorithms to determine risk and deliver ongoing protection.
  • Fully automating technical enforcement of policies and updating policies to reflect new orchestration options.

The above information offers only a brief glimpse at what the NIST, DOD and CISA guidelines for Zero Trust offer to federal agencies and provides a solid starting point for further exploration.

The Elimination of Implicit Trust

Federal agencies that are trying to decide which Zero Trust guidelines are most appropriate for their security needs should focus on the core premise of Zero Trust: never trust, always verify. It’s the elimination of implicit trust and the validation of all digital interactions. Zero Trust offers a way for federal agencies to fortify their security for every aspect of their IT environment – users, applications and infrastructure – through constant validation. It isn’t technology; it’s a methodology.

Regardless of which guidelines you follow, your agency will need the right combination of expertise and tools, including automation, orchestration and artificial intelligence/machine learning, to support and continually improve on an effective Zero Trust architecture.

Insight from a Zero Trust Thought Leader

Palo Alto Networks is a thought leader in Zero Trust. In 2021, NIST selected Palo Alto Networks as a private sector collaborator at the National Cybersecurity Center of Excellence to help build Zero Trust Reference Architectures using industry-leading technology capabilities. Through the National Security Telecommunications Advisory Committee (NSTAC), we also recently co-chaired a study tasked by the White House that provided industry guidance on how the government can most effectively implement the OMB Federal Zero Trust Strategy.

As I mentioned earlier, each of these approaches can help you address federal guidelines for Zero Trust – all options are good options for getting started with your journey. We support all the federal guidelines for Zero Trust through our Professional Services organization. We can help federal agencies of all sizes accelerate their Zero Trust initiatives and meet the critical deadlines outlined by the White House, regardless of where they are in their Zero Trust journey. We take a comprehensive approach to the Zero Trust Enterprise across users, applications and infrastructure to deliver one of the most thorough toolsets in the industry.

If you’d like to learn more about how Palo Alto Networks can help your agency become a Zero Trust Enterprise and implement the federal guidelines most appropriate for your organization, reach out to our Professional Services team.