President’s Telecom Advisors Promote Zero Trust Architecture in Key Report
What: On February 23, 2022, the National Security Telecommunications Advisory Committee (NSTAC) approved a final draft of its forthcoming report to the President on Zero Trust and Trusted Identity Management. The Committee endorsed zero trust architecture, noting that “the widespread adoption and maturity of zero trust principles across government and industry would represent not just a technological shift but a critical cultural shift in our collective approach to cybersecurity,” and made 24 recommendations for how the Federal government can achieve widespread adoption and maturity. As OMB recently observed in its January 26 memorandum, M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, “[t]ransitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government.”
What does it mean for industry: The NSTAC provides an important venue for senior telecommunications industry executives to advise the President on national security and emergency preparedness issues. Zero trust has become a central feature of the Administration’s effort to improve federal network security, an effort that is also intended to improve cybersecurity standards in the private sector. The NSTAC report endorses zero trust as an approach for the federal government and makes a series of recommendations to further advance this undertaking. Of note for companies, the report suggests that the federal government set procurement preferences for vendors that have adopted zero trust standards and best practices. This is consistent with direction from the President that the government must “advance toward Zero Trust Architecture” in section 3 of the May 21, 2021 Executive Order on Improving the Nation’s Cybersecurity.
Going forward, zero trust appears to be one approach that companies, especially government contractors, can point to as a significant element of an information security and risk management strategy that may satisfy the federal government both as a customer and a regulator. And while NSTAC intentionally does not endorse any particular technology solution, migration to zero trust by the federal government is a major opportunity for industry to assist with replacing legacy infrastructure and strategy implementation.
What does the Report say?
President Biden tasked NSTAC in May 2021 to conduct a study on “Enhancing Internet Resilience in 2021 and Beyond.” The report released on February 23 is the second of three expected reports—the first, on software assurance, came out on November 2, 2021. Significant work is already underway on zero trust. The May 2021 Executive Order directed the Federal government to move towards a zero trust architecture, and the Office of Management and Budget subsequently issued an implementation memorandum. DOD, NSA, and DHS have each released guidelines for zero trust implementation. NIST has released a special publication (800-207), and has a designated "Zero Trust Architecture Lab" in its National Cybersecurity Center of Excellence (NCCoE). NCCoE is working on guidance that will illustrate zero trust implementation examples.
NSTAC recognizes the progress made to date but suggests that the efforts are now at an inflection point. Without broader and more coordinated efforts within and outside the Federal government, NSTAC warns that the zero trust initiative will result in a series of inadequate or incomplete technical projects, and not an enterprise-, government-, or nationwide strategic shift to improve cybersecurity. The report makes 24 recommendations, of which the majority address zero trust adoption across the federal government. The remaining recommendations suggest ways for the federal government to encourage adoption by non-federal entities. The NSTAC report underscores that zero trust and identity management are areas in which industry is ahead of the federal government. Further maturation of zero trust models will require continued collaboration with industry experts, and federal IT leaders should look to existing industry-developed models.
NSTAC Delves into Federal Zero Trust Adoption
NSTAC’s recommendations focus on what has to happen after the approximately 30-month timeline of the tasks laid out in the OMB Federal implementation guidance. The Committee recommends that the federal government adopt additional oversight and maturity metrics, make available resources to overcome barriers to adoption, and ensure that zero trust adoption is aligned with existing Federal Information Security Management Act (FISMA) reporting. NSTAC also highlights CISA capabilities and suggests that agencies leverage existing shared services and procurement vehicles, and that CISA establish a federal civilian zero trust program office to provide guidance and training to federal civilian agencies. The Committee highlights work underway at NIST to identify and categorize emerging identity management technologies, as the current federal reliance on physical identity cards for two-factor authentication presents significant challenges in the mobile environment.
NSTAC Addresses Zero Trust adoption by non-Federal entities
NSTAC notes that the Federal government can do a lot to help push zero trust adoption in the private sector and internationally. The report recommends that the Federal government continue to work with industry to develop guidelines, and support and participate in international standards bodies. Finally, the report suggests using procurement incentives, grants, and regulatory relief to encourage adoption, similar to the approach taken with the NIST Cybersecurity Framework. Specifically, NSTAC recommends incorporating zero trust guidelines, when mature, into assessments of information technology and security modernization grant and funding opportunities. These include the broadband and other project funding opportunities, and cybersecurity programs for state, local, tribal, and territorial governments in the Infrastructure Investment and Jobs Act. Finally, the report highlights that regulators should clarify when a company’s zero trust adoption, or alignment to another established cybersecurity risk management framework, would be taken into consideration during an enforcement proceeding.
What is the Way Forward?
NSTAC says that the move to zero trust principles within the federal government is a generational investment that will take years to implement. Interested industries should watch this effort because:
- There are, and will continue to be, forums to provide industry-specific expertise to shape the development of the zero trust and advanced identity management guidelines;
- Zero trust principles will likely be part of a menu of cybersecurity risk management approaches that governments will seek to establish as a standard of care for companies; and
- For those in the government contracting space, zero trust adoption offers opportunities to earn business from federal agencies who are now in the process of transforming their IT and internal cybersecurity operations.
Wiley’s Cybersecurity and Government Contracts practices help companies anticipate and adapt to shifting government expectations – both in regulation and in procurement. The Department of Homeland Security and others are considering zero trust principles and how to encourage federal and private sector adoption. Meanwhile, several groups have been urging the government to recognize the costs and challenges of migrating to zero trust, and to remember that as the government struggles, so too will private sector adopters.
*Not admitted to the District of Columbia Bar. Supervised by principals of the firm who are members of the District of Columbia Bar.