Secret Service needs to make key improvements to zero trust effort says watchdog

The Government Accountability Office (GAO) earlier this month made two key recommendations to improve the zero trust cybersecurity architecture of the Secret Service.

As cyber threats increase, the Secret Service is being pushed by the watchdog to adopt a more advanced internet protocol for its public-facing systems and to update its zero-trust architecture implementation plans. DHS leadership concurred with the GAO cybersecurity recommendations.

The Secret Service relies heavily on secure IT systems to support its protection and complex investigations mission.

In recent years, the law enforcement agency has developed a zero trust implementation plan with key adoption milestones, but according to GAO these do not currently meet long-standing Office of Management and Budget (OMB) requirements for public-facing systems and industry best practices.

“Adopting zero trust architectures will require vigilance in revamping existing IT environments to defend against ever-increasing threats,” the GAO report said. “Although Secret Service has made progress, it has not yet addressed longstanding OMB requirements on implementing IPv6 for public-facing systems. By transitioning to this protocol, the agency can leverage additional security features.”

A zero-trust security architecture is one in which users on a network are not trusted by default and instead required to provide credentials and earn authorization, typically with continuous validation. The Cybersecurity and Infrastructure Security Agency (CISA) has focused on implementing zero trust in federal agencies like the Secret Service through five key principles of identity, device, network, applications and workloads, and data.

Nearly half of federal IT executives in a recent survey said their agencies are moving away from traditional network perimeter defense tactics and taking steps to adopt identity-centered, or zero-trust, security strategies to protect their digital resources.