U.S. Government Proposals Promote ZTNA


By: Mary Jander

The U.S. government has given its agencies a bit more than three years to achieve Zero Trust Network Access (ZTNA) throughout their information technology (IT) infrastructures. And last week, two agencies responded with documents highlighting ways to achieve that goal, spurring interest in the expanding potential of the government market.

Responding to Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity,” which sets specific goals and demands for adjusting federal cybersecurity methods in response to ongoing and escalating threats, the U.S. Office of Management and Budget (OMB) and the Cybersecurity & Infrastructure Security Agency (CISA) presented detailed proposals for public comment last week

The documents highlight the growing awareness of ZTNA as a foundation for cybersecurity – a development that’s taken root in the private sector, with companies abandoning perimeter-based security in favor of the ZTNA approach that trusts no one, restricts access on a least-privilege model, and continuously monitors all connections for anomalies.

Below is a rundown of the documents available for comment (especially from vendors, academia, and experts across the country), which will be held open for a limited period this fall.

  • “Federal Zero Trust Strategy.” Agency: OMB. Comments must be sent by September 21, 2021, to zerotrust@omb.eop.gov. This 23-page document gives a high-level but detailed view of how the government expects its agencies to implement ZTNA. It describes what will be expected for handling identity and managing devices, networks, applications, and data in a zero-trust environment.
  • “Cloud Security Technical Reference Architecture.” Agency: CISA. Comments must be sent by October 1, 2021, to tic@cisa.dhs.gov. This 46-page document describes how government agencies can plan products, services, and strategies for securely moving from legacy to cloud environments.
  • “Zero Trust Security Model.” Agency: CISA. Comments must be sent by October 1, 2021, to tic@cisa.dhs.gov. This 19-page document describes CISA’s definition of ZTNA, comparing elements of traditional, advanced, and optimal approaches to the various elements that comprise a ZTNA architecture.

ZTNA to Accompany Government Cloud Migration

The government documents repeatedly refer to ZTNA as a means of enabling agencies to continue to safely migrate to cloud environments. “This strategy encourages agencies to make use of the rich security features present in cloud infrastructure, while ensuring that agency systems are appropriately designed to support secure use of cloud systems,” states the “Federal Zero Trust Strategy” document. And it continues: “This strategy frequently references cloud services, as agencies are broadly expected to continue increasing their use of cloud infrastructure and associated security services."

Indeed, the government’s push to ZTNA goes hand-in-glove with its move toward full digital transformation. The CISA “Zero Trust Maturity Model” states:

“Among other policy mandates, the Executive Order (EO) embraces zero trust as the desired model for security and tasks CISA with modernizing its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with zero trust architecture (ZTA)…. This modernization of the Federal Government’s cybersecurity will require agencies to transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy.”

Market Will Benefit

These government proposals are no surprise. The markets for cybersecurity and cloud technology have benefited from a number of recent contracts with U.S. agencies, including Hewlett Packard Enterprise’s (NYSE: HPE) recent $2 billion contract with the U.S. National Security Agency (NSA) and a $10 billion contract for AWS to port NSA’s intelligence information to that vendor’s cloud platform. (Microsoft [Nasdaq: MSFT] has cried foul to the Government Accountability Office, which should have an answer by October 29.)

These news items are just the tip of an iceberg that will continue to emerge over the next few years. By the end of fiscal 2024 – which is the fall of calendar 2024 – agencies of the federal government will have to comply with the plans proposed this week. Expect to see many vendors, including established players as well as well-funded startups, line up to help them meet the deadline.