Zero Trust Can't Stop at the Federal Level

The federal government must step in to help local and state governments implement zero trust.

Brandon J. Pugh, Senior Fellow & Policy Counsel, Cybersecurity & Emerging Threats, R Street Institute

March 9, 2022

4 Min Read
The phrase "zero trust"
Source: Olivier Le Moal via Alamy Stock Photo

Between the vulnerabilities caused by remote work during the pandemic and cyberattacks being more frequent than ever, an aggressive and innovative approach to addressing the cyber crisis is needed now. The White House's recent requirement for federal agencies to achieve a zero-trust architecture is a great first step, but zero trust can't stop there.

The zero-trust requirement, part of President Joe Biden's cyber plan, is directed at federal agencies. It can be easy, therefore, for local and state leaders to dismiss it as irrelevant. That couldn't be further from the truth. Government leaders at all levels must implement their own form of zero trust to better protect us all.

At the same time, there are critical steps the White House needs to take before zero trust has any hope of moving beyond the federal level on a larger scale.

1. Define Zero Trust and Why It Matters
It needs to be made clear to local and state officials what zero trust is and why they should care. This is especially true for those not in an information technology role. Zero trust isn't a program to install, but rather an approach where no user, device, or application operating in or out of a security perimeter is trusted. It requires verifying everything attempting to establish access and minimizing access to what is needed through a combination of technology and policies. For example, zero trust would treat access requests from devices on known and unknown networks the same, subjecting both to the same security requirements. This is in contrast to a traditional security approach, where a firewall establishes a perimeter but gives broad access to everything inside it.

The pandemic highlighted the need for zero trust because of the shift to remote work, where employees left the perceived safety of an internal network infrastructure for computers at home. Meanwhile, the number and severity of cyber incidents have continued to rise among local and state governments, which makes it imperative for efforts to not stop at the federal level. Zero trust might not fully solve either issue, but it would be a step in the right direction.

2. Clarify the Zero-Trust Implementation Process
The federal government must clarify the steps required to implement zero trust. Multiple examples of best practices exist, including those from the Department of Defense and the National Institute of Standards and Technology. The White House's requirement follows the Cybersecurity and Infrastructure Agency (CISA) model. Without clear guidance, how are local leaders supposed to know which guidelines and best practices work best for them and where to begin? The administration needs to choose an agency to lead in this space — likely CISA — and make consistent recommendations.

Many entities already have elements of zero trust in place, such as authentication and access limitations, but they should seek to expand zero trust and ensure they have a plan for doing so. Rather than aiming for the ideal architecture in the short term, something is better than nothing. For example, the use of multifactor authentication alone can block more than 99.9% of account compromise attacks, according to Microsoft.

3. Address the Skills Gap
Gaps in technical expertise and funding at the local and state level need to be addressed. Some have already questioned whether the federal government can achieve the zero-trust goal by the end of fiscal year 2024. If it's a challenge at the federal level, there will be an even heavier burden on state and local entities, where cybersecurity preparedness varies greatly from jurisdiction to jurisdiction and the pandemic has impacted budgets. The federal government needs to provide accessible and ready-to-implement zero-trust resources, similar to CISA's guide for governors and cyber-essentials starter kit. This would complement CISA's push for local leaders to take action and the new $1 billion cybersecurity grant program.

Zero trust will not be as easy to implement for local and state governments as it will be for the private sector and federal government, but this does not mean that they should avoid it. Local and state governments should move toward zero trust now, but the federal government needs to act to drive progress.

About the Author(s)

Brandon J. Pugh

Senior Fellow & Policy Counsel, Cybersecurity & Emerging Threats, R Street Institute

Brandon Pugh is a Senior Fellow and Policy Counsel for the R Street Institute’s Cybersecurity and Emerging Threats team. Outside of R Street, he serves as an international law officer in the U.S. Army Reserve and on several boards, including a governor’s advisory council.

Prior to R Street, Brandon was legislative counsel for the NJ General Assembly Minority Office, where he handled nearly all legislation on cybersecurity and emerging technology. He also served as a fellow with the FBI, the managing editor of the Journal of Law and Cyber Warfare, and an elected and appointed official at the local, county and state level. This includes service as a vice president of a quasi-governmental entity representing New Jersey’s nearly 600 school boards.

He received a JD from Rutgers Law, is a Master Continuity Practitioner, and is a Certified Information Privacy Professional. Views expressed are not of the Department of Defense.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights