Federal IT leaders should take a phased approach to simplify solutions into relevant use cases that
advance mission goals. To support this approach, they should make two initial determinations. First,
identify the most significant pain points or areas of vulnerability. Second, choose one of those challenges
and identify an affected user community as well as the resources they need to access.
“You have to understand the importance of your data and how you access it,” said Jeffrey Flick, Acting
Director, Enterprise Network Program Office, National Oceanic and Atmospheric Administration, at an
ACT-IAC zero trust panel in May 2019. “This goes back to your mission, and everybody has different
kinds of missions, so zero trust implementations will need to be very scalable.”
Once both are specifically identified and tightly scoped, agencies can run a pilot. Agencies don’t have to
buy a set of appliances, rack and stack them, load-balance and protect them, and so on—instead they
can sign up for an initial subscription in a cloud-based, scalable solution. If successful, agencies will have
a better understanding of the potential benefits of expanding deployment across the organization. Zero
trust adoption should be a journey focusing on short-term accomplishments toward long-term goals.
Mission-Driven Effort
One fundamental truth across public and private sectors is that people fear change—and implementing
zero trust requires a “whole-of-agency” effort. Since zero trust solutions are new to government,
implementations shouldn’t be strictly driven by IT; they should be a mission-driven effort.
Zero trust by nature impacts program security, risks, and performance. To assess the risk of adopting
zero trust technologies, agencies should consult an internal expert with enough technical background
and policy awareness to assess possible solutions and understand potential benefits of zero trust
technologies. Through collaboration, program and IT leaders can design and implement zero trust
together to ensure success and compliance with policies such as FedRAMP, TIC, and FISMA.
Private/Public Partnership
One key question to consider before adopting zero trust is who to choose as your partners. Industry
partners need to understand an agency’s unique needs and risk profile—there is no one-size-fits-all
solution.
The federal government is better positioned now than ever to adopt zero trust. And implementing zero
trust has many benefits beyond improved cybersecurity, including seamless user experience, better
performance, lower cost, and consistent control and visibility regardless of user and application location.
To learn more, read the ACT-IAC Zero Trust White Paper. It provides key concepts, recommended steps,
information on required federal certifications, and lessons learned working within federal environments,
as well as details on pilot programs—putting you on the path to successful implementation.