Federal data, security leaders release zero-trust guide ahead of White House deadline
A week before a deadline for federal agencies to submit to the White House their updated zero-trust implementation plans, a coalition of government IT leaders released a guide intended to strengthen data security practices.
The 42-page Federal Zero Trust Data Security Guide, spearheaded by the Federal Chief Data Officers and Federal Chief Information Security Officers councils, zeroes in on “securing the data itself, rather than the perimeter protecting it,” part of what a Thursday press release termed “a foundational pillar of effective” zero-trust implementation.
By Nov. 7, federal agencies must provide their updated plans for zero-trust implementation to the Office of the National Cyber Director and the Office of Management and Budget.
“This guide represents insights from agency practitioners who are in the trenches working to implement zero trust and secure their organization’s data,” Kirsten Dalboe, the Federal Energy Regulatory Commission’s CDO and chair of the CDO Council, said in a statement. “We’re building a cooperative relationship between data and cyber to tackle this government-wide challenge and ultimately ensure the public’s data is secured.”
Steven Hernandez, the Department of Education’s CISO and co-chair of the CISO Council, added that “this is the first time that federal security teams and data teams are coming together in this way to tackle a challenge of this magnitude.”
The guide, which also included input from data and security experts across more than 30 federal agencies and departments, provides an intended audience of system owners and administrators, cybersecurity engineers and data managers with detailed zero-trust principles aimed at informing decision-making and aligning with agency missions.
Part of the guide, a five-step zero-trust security roadmap, outlines suggested actions that practitioners can take to protect their data, while a subsequent section centers on identifying, defining and categorizing data.
The guide also highlights data-related risks that “have the potential to harm the national security and economic interests of the United States.” Those risks make it “imperative that practitioners understand their roles and responsibilities and are held accountable for managing information security risk,” the guide states.
Specific risks to data called out in the guide include cybersecurity threats, storage failure, incomplete erasure, and risks involving data transmission, data storage and data resiliency. Risks from data usage cover everything from processing errors and data accountability to algorithmic bias and misinterpretation of data.
The guide closes with a handful of recommendations for best data practices, including cross-functional and collaborative communication, a strong relationship between data and security teams, continuous learning and education, adaptability, regular assessments and “across-the-board buy-in.”
In previewing the guide Wednesday during CyberScoop’s CyberTalks event, Mike Duffy, the acting federal CISO, said the collaboration between the Federal CISO and CDO councils represented “an important step” to tackle “something that is critically important for artificial intelligence and vital for zero-trust maturation.”
“It is one of the pillars in the zero-trust maturity model that has always been a challenge for large organizations,” Duffy said. “It is something that we as a government now have a way to wrap our arms around it through this guide. This was forecasted in 2022 as we thought through that policy for zero trust, that this guide would be important at this particular moment. And we’re excited to have that.”
