DHS’s New Zero Trust Implementation Strategy

The Department of Homeland Security (DHS) recently release their Zero Trust Implementation Strategy to provide a strategic framework for the actions necessary to implement zero trust (ZT) across the department. The document was released at the end of February, although DHS finished work on it in October 2023, its official date.

DHS’s Strategic Approach to Zero Trust

The newly released strategy builds upon the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model (ZTMM) which CISA drafted in September 2021 in line with the White House’s May 2021 Executive Order (EO) on improving federal cybersecurity. CISA further updated their ZTMM in April 2023. DHS’s strategy and ZTMM also align with Office of Management and Budget (OMB) efforts to put federal agencies on the path to zero trust by the end of fiscal year (FY) 2024, which ends in October.

From the onset in the new strategy, DHS emphasizes how readers should interpret the document: “What follows is not a strategic plan—it is not intended to provide a comprehensive list of actions or to sequence all actions in time and space. Rather, it is a strategic approach—a list of shared focus areas requiring actions to be coordinated and aligned to achieve complementary effects,” (emphasis theirs). Thus, the spirit and structure of the document is to provide DHS’s perspective on ZT and allow components a measure of flexibility in pursuing it.

The approach’s five principal areas of strategic focus with their respective elements are:

• Foundational Efforts – Identification of component critical data, assets, and resources; adopting identity driven access; adopting the principle of least privilege; and threat surface reduction.
• Standardization and Interoperability – Identity and access control standardization; data and metadata standardization; standardizing operational metadata; establishing and sharing reference designs; and designing and testing for interoperability.
• Enterprise Services – Shared platforms aligned with zero trust principles; enabling visibility and analytics and automation and orchestration across the five pillars of the ZTMM; shared, federated identity services; and enterprise licensing and procurement vehicles for commonly used solutions.  
• Accelerators – Leveraging existing, cloud-based, zero trust aligned platforms for adversarial emulation and encapsulation of legacy systems; and using software-based approaches to providing highly secure environments.
• Governance – The ZT decisions to be made and actions taken at an institutional scale regarding relevant enterprise services, accelerators, technical standards, reference designs and standard configurations, and the allocation of scarce resources.

Measuring ZT Strategy Success

For success measures, DHS will monitor two metrics relative to any current or potential ZT solution or implementation: Customer Experience and Operational Resilience. Improving both are White House priorities. “In principle, these metrics should never be in conflict. Successful zero trust solutions and implementations should increase both customer experience and operational resilience in tandem,” the strategy states.

Contractor Implications

The strategy emphasizes the need for DHS and others to be “brilliant at the basics” to implement ZT. The document states, “Much of the work of implementing Zero Trust, for any organization, is just work. It does not involve procuring or installing new technology but may (and usually will) involve integrating and using existing technology in new ways, consistent with zero trust principles,” (emphasis theirs.)

While that may appear to discourage the potential for ZT-related contracted solutions and support, throughout the strategy DHS refers to various technologies, solutions and services to leverage in pursuit of ZT that have clear contracting implications and opportunities, such as cloud services, software products, integration services and governance expertise.

The evolution of ZT across the federal landscape will naturally lead to the forsaking of some products, services and architectures for the adoption of others. Further, the creative redeployment of existing technologies and the integration effort that comes from the further re-architecture of existing systems will require time, expertise and support. So, while implementing zero trust may be “just work” and emphasize the basics of IT, already-stretched agency IT shops will continue to look toward industry support for success.

Zero Trust is among OMB’s FY 2025 cybersecurity budget priorities for federal agencies. The release of the FY 2025 budget is anticipated in the coming days (or weeks, depending on who you talk to.) The budget details that emerge may give us further clues on the solutions and support needed and potential contract opportunities to come.