Agencies must get better at refining zero-trust project requirements

Agencies have made “a lot” of progress implementing zero-trust security since the issuance of the Biden administration’s Cybersecurity Executive Order but still struggle to articulate IT project requirements, according to the General Services Administration’s cyber lead.

The executive order is forcing agencies’ chief information security officers to spend more of their limited funds on zero-trust solutions, but they need to think hard about the desired results, said Dan Jacobs, at the ACT-IAC 2021 Imagine Nation conference in Hershey, Penn., on Monday.

President Biden issued the executive order in May directing agencies to develop plans to implement zero-trust architectures, but every agency has different mission needs when procuring solutions, Jacobs said.

“Take whatever time within your project management plan you have set aside for gathering requirements, and triple it — quintuple it,” Jacobs said.

The request for information and selection criteria for a zero-trust solution will look very different for one that’s intended to be the first step toward a major secure access service edge implementation because different vendors are needed, he added.

Agencies also struggle with the taxonomy around zero-trust security, like the difference between network segmentation and microsegmentation; finding experienced cyber staff; and managing ownership of their requisite hybrid cloud environments, Jacobs said.

The hybrid, multi-cloud concept is “very powerful,” but agencies aren’t reaping the benefits of performance data coming out of zero-trust architectures quite yet, said Rob Carey, president of public sector for Cloudera.

“The things that the agencies need to do is you’ve got to know your network,” Carey said. “You’ve got to know which part of your mission is riding where and exactly what servers is that stuff riding on.”