{"id":60662,"date":"2022-12-19T15:54:20","date_gmt":"2022-12-19T07:54:20","guid":{"rendered":"https:\/\/version-2.com\/?p=60662"},"modified":"2023-07-24T18:34:03","modified_gmt":"2023-07-24T10:34:03","slug":"zero-trust-guidance-rewrites-us-cyber-strategy","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2022\/12\/zero-trust-guidance-rewrites-us-cyber-strategy\/","title":{"rendered":"Zero Trust Guidance Rewrites US Cyber Strategy"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n\n\n

\u201cOur adversaries our in our networks, exfiltrating our data, and exploiting the Department\u2019s users.\u201d
<\/p>

So reads the humbling introduction to zero trust guidance<\/a> recently released by the Department of Defense (DoD). It acknowledges in the very first line that cybersecurity has failed on almost every front. Then it makes a complete commitment to zero trust as the solution.
<\/p>

Many were waiting on this guidance and wondering what, exactly, it would entail. It comes following an order from the Biden administration 18 months ago to strengthen America\u2019s cybersecurity in a big way. Many changes and long-overdue improvements have come out of that order. But by far the most significant is a commitment on the part of all federal agencies to adopt a complete zero-trust posture by 2027.
<\/p>

We now have a road map for how the government plans to get there. I will cover that shortly. Before that, let me highlight a few reasons I think the latest guidance (and the strategy that prompted it) are worth paying attention to.
<\/p>

First, that strategy will form the backbone of U.S. cybersecurity, which in turn will play a critical role \u2013 or may even be the cornerstone \u2013 of continued national security. Cyber attacks will be the most accessible, most common, and most devastating kinds of attacks in the future, so how countries defend themselves against this massive risk really matters. I have been writing about national cyber defenses from a few lenses recently. What makes the US approach unique, from my perspective, is the insistence on not just applying a cyber strategy consistently across all agencies but focusing it so specifically on zero trust. Some will call it practical, even mandatory, to make zero trust the guiding principle of cybersecurity in a decentralized world. Others, however, might view it as putting too many eggs in one basket. Time will tell.
<\/p>

Which brings me to my second observation, which is that the US government is embarking on the biggest experiment in zero trust ever undertaken. Keep in mind that the phrase \u201czero trust\u201d has barely existed for more than a decade, and few large-scale, trust-free environments are actually up and running. Despite widespread zero trust adoption across the private sector, the government is by far the biggest trailblazer on this front, and the road ahead will be illustrative for all. What will it take to eliminate trust from the whole of the federal government? And once 2027 arrives, how secure will the government really be? This test case could cement zero trust as the centerpiece of cybersecurity moving forward \u2013 or it could reveal zero trust to be just the latest flawed fad. I suspect the answer will land somewhere in the middle. But unpredictability is the dominant feature of cybersecurity, so who knows what will happen? It will be important no matter what.
<\/p>

The Next Five Years in Zero Trust<\/strong>
<\/p>

A 2027 deadline to standardize zero trust across all federal agencies creates a lot of work to finish in a short five years. To its credit, the DoD seems to be fully aware of that fact because the roadmap is systematic and comprehensive to an extreme degree. Since there are so many different agencies with so many levels of cyber maturity \u2013 along with existing zero trust deployments \u2013 the guidance aims (and largely succeeds) at being accessible and universal. Which is a bonus for the private sector because companies can then easily adopt the government\u2019s zero trust strategy as their own.
<\/p>

The roadmap has four distinct goals:
<\/p>