WASHINGTON – Today, global tech trade association ITI offered recommendations to help streamline the U.S. government’s adoption of Zero Trust Architecture (ZTA) in federal agencies. ITI’s comments come in response to the Office of Management and Budget's (OMB) request for industry input on the Federal Zero Trust Strategy as part of the Executive Order 14028 on Improving the Nation’s Cybersecurity.
“We agree with OMB’s objective to promote the intelligent and vigorous use of modern technology and security practices, while simultaneously avoiding disruption by malicious cyber campaigns,” ITI wrote in its comments. “The Strategy will provide actionable guidance to agencies as they are undergoing a major paradigm shift. Given the criticality of the subject matter, we encourage OMB to keep involving relevant stakeholders in the drafting of such guidance. We remain committed to sharing our experience and lessons learned to help streamlining the federal adoption of Zero Trust.”
To support agencies’ migration to a ZTA, ITI made a series of recommendations, including:
-
Align the targeted end-state to use cases rather than technology silos. For agencies to effectively adopt Zero Trust, it will be critical for them to understand the horizontal relationships across security segments. In its current form, the document appears to perpetuate the concept of security silos, addressing challenges in context solely to areas of functional capability (e.g., identity, data, devices). Operational use cases can produce meaningful insights that bridge traditional scenarios and highlight policy, technology, and organizational gaps.
-
Expand guidance on prioritization during incremental roll out. OMB should provide guidance on how agencies should prioritize ZTA use cases with respect to other identified priorities, such as High Value Assets (HVAs) and priority data assets identified per the Federal Data Strategy. OMB may also consider linking this guidance to known threats, existing high-risk vulnerabilities, and targeted asset classes (people, software layers, applications, devices, IoT, etc.) to have a more impactful initial response.
-
Involve agency leadership in ZTA migration. Zero Trust changes will impact agency processes and employee engagement at all levels. Administrators need to support the IT and Security teams by engaging in oversight committees and similar leadership fora. This will enable them to anticipate and lead the cultural changes that will occur.
-
Expand guidance on hybrid and BYOD work environments. Agencies have adopted policies and tools to enable hybrid work environments necessitated by COVID. OMB’s guidance should recognize this reality and provide recommendations for how ZTA can succeed in those situations. The Strategy should expand its guidance on how agencies can build a ZTA in work environments with hybrid or bring-your-own-device (BYOD) policies.
-
Reflect mandates in agency budgets. Because of its complexity, we suspect that the ZTA adoption mandate will present budgetary challenges for many federal agencies. OMB should provide sufficient funding to agencies to implement the cybersecurity requirements contained in the Federal Zero Trust Strategy.
Read ITI’s full comment submission here.