Paying for the shift to zero trust

National Security Agency Headquarters in Ft. Meade, Md.

National Security Agency Headquarters in Ft. Meade, Md. Photo by NSA via Getty Images

The National Security Agency has been working with the Pentagon's CIO to understand how agencies might be able to fund their journeys to zero trust.

A National Security Agency official recommended agencies plan future cyber investments around the implementation of a zero trust architecture, using a step-by-step approach to fund key components for a comprehensive information technology security model. 

Neal Ziring, NSA's technical director of the cybersecurity directorate, said his agency has been working to implement various zero trust features within its own systems at the Department of Defense since the 2000s – years before the phrase "zero trust" was even coined. 

"But now we've brought it together into a unifying, architectural concept that we think is very effective at guiding an enterprise's investment," Ziring said on Tuesday at an event hosted by the Intelligence and National Security Alliance. 

Last year, the NSA released guidance on how to implement a zero trust security model, which restricts network access controls and uses continuous verification to mitigate cyber vulnerabilities. The initial guidance aimed to provide a blueprint for federal IT officials and agencies on the path to establishing enhanced enterprise-wide security models: While some zero trust provisions were already in place at DOD to maintain access to sensitive information, many agencies lacked core components of a zero trust architecture, including coordinated and aggressive system monitoring, system security automation and risk-based access controls.

Ziring said the agency was now working with partners like the DOD's CIO to understand how a step-by-step funding approach towards zero trust "can be done most effectively" within the department before rolling out any new guidance to other agencies. 

"In order to power control of rights, I'm going to invest in strong authentication," he said. "If I want to control access to my data, I'm going to have the data tagged or marked in such a way that I know what policies apply to it, so I'm going to go do that part. It's always going to be stepwise. You can't do a flag day."

How agencies can plan and budget to successfully establish enterprisewide comprehensive security frameworks without a stable and consistent budget has been a top question for federal IT leaders since zero trust was featured in a White House cybersecurity executive order last year. 

Ann Dunkin, CIO for the Department of Energy, told a November conference one of her agency's biggest challenges was implementing zero trust and provisions like multi-factor authentication "across a wide variety of environments" without increased investments and consistent congressionally-allocated resources. 

Other experts have pointed to unfunded cyber mandates throughout the executive order as a potential challenge for agencies in meeting its ambitious deadlines, while recommending additional appropriations to establish much needed improved cybersecurity standards across the federal government.