The US Zero Trust Policy — What You Need to Know

American Flag cube on the right, title on the left: implementing the US Zero Trust Policy

Zero Trust is an important strategy for securing today’s business networks, but this approach received a boost over the past few years. As an increasing number of sophisticated malware attacks against public and private organizations began populating headlines, it became clear to IT and Security stakeholders that a strong cybersecurity strategy must be put in place before they became the next target. 

US President Biden’s May 2021 Executive Order (EO) on improving cybersecurity came as an urgent response to the alarming rise in the number of cyberattacks on organizations of all sizes, across all industries. One of the main directives in the EO was for the Federal Government to update and upgrade outdated cybersecurity strategies to a Zero Trust model. 

While IT and security professionals have been familiar with the term for years, the EO gave organizations a firm push to go forth on their Zero Trust journey. Since then, the Federal Government has issued further guidelines on Zero Trust, including the M-22-09 Memorandum published in January 2022, titled “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles”.  

The memo provides heads of executive departments and agencies with a detailed list of the cybersecurity standards and objectives required for the Federal Zero Trust Architecture strategy, and is the first that lays out specific actions, along with a deadline: end of Fiscal Year 2024 (September 30, 2024). 

While the memo applies to offices and departments in the Federal Government, it’s not something that IT and Security teams in the private sector should ignore. Government contractors and companies doing business with Federal Agencies must also comply with these new mandates. In addition, as companies continue working hard to mature their cybersecurity practices, these and other federal guidelines and mandates are part of a bigger movement across all industries to implement a cybersecurity framework and standards that apply to all organizations and the need to address today’s rapidly evolving threat landscape.  

What Are the US Government’s Zero Trust Principles?

The term Zero Trust was originally coined over 10 years ago by Forrester analyst John Kindervag but only became an area of focus in recent years. This is due to the massive digital transformation business networks have undergone, expanding to include cloud networks, countless SaaS applications, and a remote global workforce. 

The Zero Trust security model “eliminates implicit trust in any one element, component, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the US National Institute of Standards and Technology (NIST)

The recent M-22-09 Zero Trust cybersecurity memo provides agencies with actionable standards and objectives to comply with in order to ensure that the Federal Government makes the “dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data.” 

The traditional approach of verifying once at the perimeter was once considered good enough by many – but that was when organizations’ tech stacks and workforce were very different. Today, an organization’s systems and networks extend to the cloud, and rely on a wide array of SaaS applications and platforms. While this shift alone makes the task of securing the network more complex, add to that a hybrid workforce, where employees and their devices connect from anywhere, at any time. These changes demand a new approach to cybersecurity, including continuous verification of each user, device, application, and transaction.

The memo details the goals that agencies are expected to achieve by the end of Fiscal Year 2024, based on The US Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Model and its five pillars: Identity, Devices, Networks, Applications and Workloads, and Data. 

5 Tips for Implementing US Zero Trust Policy

Government agencies – many of which were already well on their way to implementing Zero Trust cybersecurity practices, are now pushing even harder to ensure the standards are implemented before Fiscal Year 2025 (October 1, 2024), and private organizations are also heeding the call. 

As organizations’ tech stacks become increasingly distributed and complex, their attack surface continues to expand, demanding the Zero Trust mindset and approach: remove implicit trust, control and manage every asset within the network, and continuously validate every single step in digital interaction. 

The Zero Trust model is continuously evolving to keep up with the rapid pace of the digital transformation, and there are a few key aspects and tips to keep in mind as organizations move forward in their Zero Trust journey. 

#1 Visibility: Know Your Inventory

You can’t protect what you don’t know about. Today, business-critical data and services are accessed  by a dynamic group of global workers and contractors via multiple cloud providers and countless SaaS applications. 

The preliminary and crucial step to achieving any level of Zero Trust cybersecurity is to have an updated inventory of all of the infrastructure in use, from cloud services, to SaaS tools, to websites, to endpoint devices – and how all of those are currently being protected. 

#2 Access Control: Manage Users and Endpoints

Once on top of your inventory, the next step is to control access across all layers in the corporate stack. When it comes to identity systems and access control, the Federal Zero Trust Memo advises that agencies “should ensure that information is accessed by the right users, at the right time, and for the right purposes.”

Today’s organizations typically rely on a global mix of full time employees, contractors, consultants, and third parties. In order to ensure that data and systems are secure, their access must be managed based on a Zero Trust approach.  

Private and public organizations would benefit from adopting the Federal Zero Trust requirement to use centralized identity management systems that can be integrated into applications and platforms, and implement strong multi-factor authentication (MFA) throughout the enterprise.  

#3 Isolate Environments

To block malicious attempts to infiltrate the entire network, segmenting and isolating network access is another critical step in ensuring an organization-wide Zero Trust architecture. 

If the latest cyber attack on Uber taught us anything, it’s the importance of segmentation and of business-critical applications to prevent lateral movement if an exploit or data breach occurs.  

#4 Update Legacy VPN Systems

Over the past few years the on-prem model has shifted to cloud and hybrid frameworks, while the workforce has shifted from office-based to remote. When most workers and systems were on-prem, or distributed across a few locations, traditional VPNs more or less got the job done. However, the shift to a global remote workforce and distributed multi-layered networks requires Zero Trust technology that is more agile and scalable than legacy hardware VPNs

#5 Zero Trust Wasn’t Built in a Day

A year and a half after the US cybersecurity EO voiced an urgent call to the Federal Government to “make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the recent cybersecurity standards memo warns that “transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government.” 

It further reminds agencies that “this process will be a journey for the Federal Government, and there will be learning and adjustments along the way as agencies adapt to new practices and technologies.” This is an important note for all companies looking to improve their Zero Trust strategies. 

Achieving Zero Trust maturity requires companies to review the cybersecurity tools and practices they relied on up until this point, and then build towards a Zero Trust architecture. They must also be willing to continuously assess and improve their cybersecurity strategy and tools to cover the increasingly complex and distributed corporate stack, and the quickly evolving threat landscape. 

Using Perimeter 81’s ZTNA (Zero Trust Network Access) technology helps organizations protect their networks, and ensure that their data, critical applications, and infrastructure are secured. As the number of cyber attacks continues to rise, and regulation around implementing Zero Trust strategies increases, integrating a ZTNA solution provides organizations with the controls they need to achieve visibility and control over their ever-expanding and complex tech stack. 

Book a demo with Perimeter 81 today to Zero Trust Network Access in action.