Dec 07 2021

2022 Tech Trends: States Are Poised to Start Moving to Zero Trust

Federal agencies must have the security framework in effect by fall 2024. Could state and local governments be next?

A zero-trust cybersecurity approach may be on the verge of gaining ground in some state governments.

Per an executive order President Joe Biden signed in May, the federal government is requiring federal agencies to shift to a zero-trust architecture by fall 2024.

Because numerous state agencies regularly interface with federal networks for data reporting, benefits administration and other reasons, the impetus to adopt a zero-trust architecture may subsequently filter down to state governments.

Sixty-seven percent of state CIOs said introducing or expanding a zero-trust framework would be a focus in the next two to three years, according to a recent National Association of State Chief Information Officers survey.

Click the banner below to access all of our Tech Trends 2022 coverage.

Early Adopters See Zero-Trust Advantages for Remote Work

Zero trust can involve using strict access controls, multiple authentication checkpoints and increased monitoring resources to repeatedly verify users and devices before allowing them to access a network or asset.

Eric Sweden, program director of enterprise architecture and governance at NASCIO, expects more states will begin incrementally adopting that type of cybersecurity approach as part of their ongoing maturation.

“Zero trust does not have to be — most likely cannot be — a one-time initiative,” Sweden says. “States already have in place many of the capabilities required for zero trust —possibly 50 to 74 percent of the necessary technology and organizational capabilities.”

Some have already begun adopting a zero-trust mindset. Oklahoma, for example, fast-tracked its move to zero trust during the COVID-19 pandemic. By April of this year, the state’s Office of Management and Enterprise Services reportedly had deployed Zscaler Private Access, a cloud-based solution that provides zero-trust access to private applications running on public clouds or in data centers, to help scale remote access for more than 30,000 teleworking employees.

Washington state CISO Vinod Brahmapuram, speaking at an online event in August, said the state was transitioning to a zero-trust structure — a modernization move he described as “part of what we should all be doing,” StateScoop reports.

With states and municipalities facing significant ransomware and other security threats, smaller localities in particular may need to outsource some tech-related operations in order to enhance their cybersecurity stance, says Alan Shark, executive director of CompTIA’s Public Technology Institute.

“It’s not just a matter of money,” Shark says. “It’s staffing, it’s training, it’s certifications: They don’t have it. Having managed service providers may be a better answer for them.”

Click here for more insights from CDW on zero trust.

Guidance Could Help Agencies Make Progress on Zero Trust

Because zero trust is essentially a concept — not a prebuilt solution or set of tools that can be purchased and put into use — confusion can arise over what specific elements are involved.

For more states to buy into zero trust’s value and be able to execute it successfully, the federal government, Shark says, may need to provide more detailed information.

“Zero trust means you have to get into a system that locks you out until you prove otherwise,” he says, referring to proof that the persons seeking access are who they say they are and can prove it. “It means better authentication of who is coming in, having authorized users on different levels — saying someone has certain rights to get into these certain records, but someone else can get into more. What’s missing is a true definition that a majority of folks can understand. Once they have that, they can better figure out strategies to adopt.”

Click the banner below to get access to a customized cybersecurity content experience. 

With additional clarification, Shark says, state governments would be open to the idea.

“No one’s saying no,” he says, “but I’ve heard some people say, ‘It’s just too difficult to get in’ and ‘It’s just like using passwords.’”

Implementation of identity management — one of the five pillars the Cybersecurity and Infrastructure Security Agency has recognized — would span across its Zero Trust Maturity Model and could potentially be an area for state and local governments to make initial investments related to zero trust, Sweden says.

State CIOs ranked identity management as their No. 3 tech priority this year.

“Identity management is a very strong candidate,” Sweden says. “State identity, access and credentialing management has high levels of attention for both internal and external, citizen-facing government services.”

RELATED: Why state and local agencies should prepare themselves for zero trust.

Logistical Challenges May Delay Zero Trust’s Widespread Adoption

Even if a growing number of states become eager to add more access-based user and device authentication controls, Sweden isn’t sure a fully realized zero-trust model will become the norm for some time, due to current state government budget constraints.

Most states only spend up to 2 percent of their total IT budgets on cybersecurity, according to Deloitte research.

“States are already underfunded relative to cybersecurity,” Sweden says. “To carve out part of the budget to begin implementing zero trust will be difficult.”

With zero-trust efforts potentially affecting human resources, data management and other functions, the security framework’s enactment may ultimately be treated as part of state governments’ ongoing cybersecurity governance and operation needs, Sweden says, instead of an annual budget item.

“The investment in zero trust will necessarily have to come from a variety of sources,” he says. “Because zero-trust implementations must connect with a number of allied disciplines — records management, privacy, analytics and software asset management, to name a few — zero trust must be seen as an enterprisewide capability.”

Illustration by Jacey

aaa 1

Register