Federal Data Security – New Guidance to Help Agencies Operationalize Zero Trust Principles

Published: November 22, 2024

Federal Market AnalysisCybersecurityPolicy and Legislation

Federal cybersecurity and data management officials have issued guidance on employing zero trust principles to improve agency data security postures.

Recently, the federal Chief Information Security Officer (CISO) and Chief Data Officer (CDO) councils released a Federal Zero Trust Data Security Guide, a collaborative effort by stakeholders from more than 30 federal departments and agencies to aid government IT practitioners in operationalizing data security using a zero trust (ZT) framework.

Leveraging Zero Trust for Data Security

The guidance explicitly concentrates on the Data Pillar of the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model (ZTMM) and, as such, it does cover every aspect of ZT approaches.

The goal: support the shift in federal cybersecurity practices from relying on perimeter defenses to effective data security by securing the data itself using ZT principles.

The intended audience for the 42-page guide is a broad scope of practitioners charged with securing data, including system owners, data management practitioners and stewards, system administrators, and cybersecurity engineers, according to the document.

The guide breaks down an agency’s ZT data security progression into three chapters:

  • Define the Data: Find and identify the totality of the agency’s data landscape, learn how to accurately categorize and handle data, and define the sensitivity and criticality of data.
  • Secure the Data: Implementing the appropriate security monitoring and controls, such as encryption, for data and incorporating risk management and identity, credential, and access management (ICAM). The chapter also addresses considerations for privacy and compliance.
  • Manage the Data: (Placeholder/under development) This chapter will address ensuring that data security practices are aligned with and embedded in data lifecycle management (DLM). It will discuss how readers can equip their team with the necessary skills and adapt their approach to address emerging technologies. The council will continue to develop and refine content in the future.

The guide includes a companion document comprised of appendices covering Data Inventory; Data Stewardship; Security Monitoring and Controls; Roles in Data Security Risk Management; and Identity, Credential, and Access Management (ICAM) Principles. The companion also includes a Glossary and Resources with links to key related publications, executive orders, OMB guidance and related federal laws.

Federal Zero Trust Evolution Continues

The latest guidance satisfies a key deliverable requirement under the Office of Management and Budget’s (OMB) January 2022 directive, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles. Federal agencies were required to have submitted their updated ZT implementation plans to OMB and the Office of the National Cyber Director (ONCD) earlier this month.

Implementing zero trust will continue to be a major governmentwide priority for OMB for the foreseeable future. In July, OMB issued a memo to federal agencies with instructions on cyber priorities for their FY 2026 budget preparations and ZT was among the top priorities, continuing the trend we saw for their FY 2025 cyber budget and the FY 2024 cyber budget preparations as well.