On January 26, 2022, the White House issued the Federal Zero Trust Strategy, a continuation of the direction of the May 2021 Executive Order on Improving the Nation’s Cybersecurity. The Federal Zero Trust Strategy details a series of specific actions all U.S. federal agencies must take to advance adopting a Zero Trust approach. It is expected to drive federal government cybersecurity activities over the next two years and beyond. Understanding the key takeaways and how to best implement them within your organization is a critical first step to successfully align your Zero Trust efforts with the latest requirements.
One theme was clear from the White House strategy: Zero Trust must span the entire infrastructure. The memo explicitly states that agencies should migrate “from verify once at the perimeter to continual verification of each user, device, application and transaction.” Taking a holistic approach to Zero Trust is a key aspect of overall success. At Palo Alto Networks, we enable organizations to implement Zero Trust broadly across users, applications and infrastructure. This includes tying strong identity to integrity of devices and workloads, applying least privilege access, and continuously validating all transactions with comprehensive threat protection.
As federal agencies begin or advance their Zero Trust journeys, the Federal Zero Trust Strategy makes it clear that they must start with a foundation of comprehensive visibility. “To effectively implement a zero trust architecture, an organization must have a complete understanding of its internet-accessible assets,” the Federal Zero Trust Strategy reads. It is only with comprehensive understanding of critical systems and exposures that agencies can effectively enforce Zero Trust policies in a risk-prioritized manner. This asset mapping capability must be continuous and dynamic as static scanning capabilities will have limited utility in a rapidly evolving threat environment.
Strong Identity Meets Least-Privilege Controls and Continuous Monitoring
A significant portion of the recent memo focuses on the importance of implementing strong identity best practices. These should be tightly integrated with your Zero Trust policies and controls in order to ensure the adoption of Zero Trust key tenants, such as least-privileged access. This means that only the minimal amount of access should be granted to a user based on their role and required resources. Once controls and policies are in place, identity and access must be continuously monitored to detect any malicious behavior and evolve the Zero Trust security posture.
While the May 2021 Executive Order laid out a general vision for advancing toward Zero Trust, the recent Federal Zero Trust Strategy provides much more implementation detail, as well as some aggressive timelines. One deadline calls for agencies to submit their updated Zero Trust implementation plan, incorporating all new requirements identified in the Federal Zero Trust Strategy within 60 days.
Because transitioning to Zero Trust is a strategic undertaking, most organizations will benefit from engaging a trusted cybersecurity partner to help them create and implement their Zero Trust plan. Palo Alto Networks has been working extensively with our customers on Zero Trust initiatives, utilizing our Professional Services team, which has unparalleled experience helping organizations of all sizes accelerate their Zero Trust journey.
Palo Alto Networks has also been helping lead partnerships among industry and with the federal government to advance Zero Trust standards and best practices. We were honored to recently serve as a co-chair in leading a study tasked by the White House through the National Security Telecommunications Advisory Committee (NSTAC), which provided industry guidance on how the government can most effectively implement the Federal Zero Trust Strategy. In 2021, we were honored to be selected by the U.S. National Institute of Standards and Technology (NIST) as a private-sector collaborator, helping build NIST Zero Trust Reference Architectures using industry-leading technology capabilities.
Learn more about how Palo Alto Networks can help you become a Zero Trust enterprise and meet key requirements of the recent Federal Zero Trust Architecture Strategy. You can also learn more about Palo Alto Networks collaboration with the federal government by visiting the NIST Zero Trust Architecture Project website and reading the new NSTAC Report to the President on Zero Trust, which is now published on CISA’s website.