Connecting state and local government leaders
COMMENTARY | Because zero trust is founded on cybersecurity tenets like segmentation and identity management, state and local governments can adopt the strategy quickly and effectively.
For many state and local CISOs and CIOs, zero trust has become an increasingly appealing option for securing their networks. While it’s unclear how widely zero trust strategies and technologies are being adopted by state and local governments and where agencies are on their adoption, what is clear is that every government IT leader should be figuring out a way to integrate zero trust strategy into their roadmap of programmatic cybersecurity initiatives.
It might seem a daunting task to take on a whole new strategy for defending against cyberattackers with the challenges posed by increasing budget constraints and a cyber workforce gap that’s only widening. It doesn’t have to be. A zero trust approach is founded on tenets like segmentation and identity management that permeate even the most foundational layers of cybersecurity.
In fact, state and local governments can rely on readily available resources to address these challenges and help make their march to implementing zero trust faster and more effective.
Don’t reinvent the wheel
Before trying to develop a framework or buy zero trust-related cyber solutions, state and local agencies should look to the resources that already exist and follow the lead of others in the public sector who have already begun to implement a zero trust strategy.
One way is to leverage existing federal guidance. State and local IT leaders can look to individual federal strategies like those laid out by the Department of Defense—and even more so, by the Office of Management and Budget for the civilian agencies. These may not be perfect fits, but they will help. Documents like the National Institute of Standards and Technology’s SP 800-207 along with the Cybersecurity and Infrastructure Security Agency’s Tech Reference Model and Zero Trust Maturity Model can help state and local governments assess where they are in their implementation journey and where they need to go. Many federal agencies are moving into implementation of zero trust, and state and local IT leaders can take advantage of published case studies and informal lessons learned.
Once state and local governments are past the planning stage and ready to actually buy and implement solutions, they can look at federal contracting language for examples they can use to procure zero trust-related tech. This is especially important for state and local government procurement offices that are short of cyber experts, saving them from trying to generate contracts from scratch.
This approach has the additional benefit of using contract terms that the vendor community is already familiar with, since they may also sell to the federal government. There are several initiatives underway to create virtual libraries of cybersecurity contract language that state and local government agencies can use.
Beyond that, agencies may find that products and services that are already on their security modernization roadmap align with zero trust. For example, most security information and event management (SIEM) and security orchestration, automation and response (SOAR) products perform functions that map to pillars of the federal zero trust model. They can be invaluable starting points for implementing real-time situational awareness and response.
Address the cyber workforce gap
One of the biggest challenges to state and local implementation of zero trust is the cyber workforce gap. It’s tough to get all of this retooling done without people who can translate a zero trust strategy into broader IT and security modernization plans.
One solution is for local governments to partner with others. Local governments can realize an economy of scale by banding together to regionalize their efforts, which may make it easier to attract or train needed talent. Agencies can work with private sector partners, who may have more experience with the latest cybersecurity technologies. They can also turn to their state for guidance and possibly for shared services.
Organizations like the National Association of State Chief Information Officers (NASCIO) offer a wealth of both information and potential partners. Their resource center is replete with documents, blogs, white papers and podcasts showing how states are tackling cybersecurity challenges, including implementing their zero trust strategies.
Beyond that, remote workers can provide state and local governments with the needed zero trust expertise. While it’s important—especially for local governments—to have the majority of their employees on the ground, the geographic range for tech talent should be widened. Remote workers with specialized skills can shepherd state and local IT teams through the zero trust journey using any number of collaboration tools we’ve all become familiar with since the onset of COVID.
It’s imperative that state and local government agencies implement zero trust strategies as soon as possible. Zero trust enables agencies to focus on ensuring the secure connection of users (employees and citizen-users), devices, data and compute resources regardless of where any of these elements is located. State and local agencies have been on the forefront of the public sector’s move toward better customer service and efficient operations—and zero trust is likely to be an invaluable tool for continuing this transformation.
There are many resources out there that can help state and local agencies regardless of where they are in their zero trust journey. The most important part is to just get started. Agencies can use what they already have to bring together the foundational pieces and then lean on best practices and information that is already being used by others in government and in the private sector.
Jim Richberg is the public sector field chief information security officer at Fortinet.