{"id":156011,"date":"2022-03-07T06:00:48","date_gmt":"2022-03-07T14:00:48","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=156011"},"modified":"2022-03-07T09:32:21","modified_gmt":"2022-03-07T17:32:21","slug":"federal-guidelines-for-zero-trust","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2022\/03\/federal-guidelines-for-zero-trust\/","title":{"rendered":"Choosing Which Federal Guidelines to Follow for Zero Trust"},"content":{"rendered":"

Federal agencies are feeling increased pressure to adopt appropriate federal Zero Trust guidelines and accelerate their adoption of a Zero Trust architecture, following the recent release of a U.S. Office of Management and Budget (OMB) memo<\/a>. The OMB memo is a continuation of the May 2021 Executive Order on Improving the Nation\u2019s Cybersecurity<\/a>, which outlines aggressive implementation deadlines for a federal Zero Trust architecture strategy over the next two-and-a-half years.<\/p>\n

What\u2019s outlined in the OMB memo is a big ask on an intense timeline. As one Forrester analyst noted<\/a>, if the government Zero Trust strategy is \u201cexecuted as mandated, not only will government agencies meet the security maturity levels of large organizations in the private sector\u2026 they\u2019ll also surpass them.\u201d<\/p>\n

While the transition to a Zero Trust cybersecurity approach offers a great deal of upside for federal agencies, many organizations are still trying to find direction in their journey<\/a>. One question we\u2019re hearing often from the agencies we work with is, \u201cWhich federal guidelines for Zero Trust should we follow?\u201d The good news is that each of the guidelines explored below can provide you with valuable information on guidance, functionality, security controls and operations for Zero Trust.<\/p>\n

Zero Trust is a strategic approach to cybersecurity that secures an organization by simplifying security to a single use case: the elimination of implicit trust and the continuous validation of every stage of a digital interaction. Choosing Zero Trust guidelines or frameworks and accessing expertise from trusted resources are critical steps to implementing an effective strategy. To help agencies with their decision-making, here\u2019s a quick overview of three of the most commonly cited Zero Trust frameworks.<\/p>\n

<\/a>NIST Special Publication 800-207: Zero Trust Architecture<\/h2>\n

The primary focus of<\/span> the National Institute of Standards and Technology (NIST) guidelines<\/span><\/a>, which were introduced in August 2020, is to help federal agencies reduce implicit trust zones and understand policy enforcement points and policy decision points. The guidelines cover the basics of Zero Trust and are meant to help federal agencies understand (at a macro level) how data, applications, systems and networks interact.\u00a0<\/span><\/p>\n

NIST recommends agencies design and deploy a Zero Trust architecture with adherence to seven basic tenets, from considering all data sources and computing services as resources, to collecting as much information as possible about the current state of assets, network infrastructure and communications and using that information to improve the organization\u2019s security posture.<\/p>\n

<\/a>DOD Zero Trust Reference Architecture<\/h2>\n

Released in February 2021, the<\/span> Department of Defense (DOD) guidelines<\/span><\/a> offer a more operational and micro-level approach to Zero Trust than the guidance from NIST. The DOD Zero Trust Reference Architecture includes seven \u201cZero Trust Pillars and Capabilities\u201d and addresses specific functions and security controls, such as data loss prevention (DLP), data tagging and microsegmentation (practice of creating logical network zones to isolate network segments). This reference architecture includes a maturity model that describes the importance of establishing a baseline protection level prior to designing a Zero Trust architecture.<\/span><\/p>\n

Per the directive, DOD agencies, including military departments and the Defense Information Systems Agency (DISA), should align to the DOD Zero Trust Reference Architecture as it was crafted with a defense-specific mission and requirements in mind. We also anticipate that many DOD agencies may decide to adopt some type of maturity model as well as measure their progress along their Zero Trust security evolution.<\/span><\/p>\n

<\/a>CISA Zero Trust Maturity Model<\/h2>\n

Finally, there is the <\/span>Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model<\/span><\/a>, which was introduced in June 2021 as a resource primarily for civilian agencies. The CISA Zero Trust Maturity Model includes five pillars (identify, device, network\/environment, application workload and data) and three cross-cutting foundational elements: visibility and analytics, automation and orchestration and governance. This model outlines a good-better-best approach to Zero Trust, which CISA refers to as \u201ctraditional, advanced and optimal.\u201d<\/span><\/p>\n

The \u201coptimal\u201d stage of Zero Trust security is the ultimate goal, of course. At this point in the Zero Trust journey, according to CISA, a federal agency would be accomplishing many things:<\/p>\n