How Federal Agencies Are Achieving Zero Trust With Automation

“Never trust, always verify.” This key principle has been ingrained into the cybersecurity lexicon since Forrester first popularized the concept of zero trust in 2009. Since then, zero trust has emerged as one of the most important frameworks in modern cybersecurity programs.

For government agencies, the shift to zero trust is both crucial and inevitable. Tasked with protecting vital national infrastructure and driving scientific innovation, agencies are increasingly waking up to the fact that traditional security practices no longer cut it in today’s escalating, and increasingly complex, threat landscape.

About Zero Trust and Automation

The push towards zero trust has gained considerable momentum in recent years, spurred by President Biden’s 2021 executive order aimed at bolstering the U.S.’s cybersecurity capabilities. The directive, further underscored by the Biden administration's 2023 National Cybersecurity Strategy and the Department of Defense's 2027 zero-trust goal, sets a clear mandate for moving beyond traditional cybersecurity practices.

Automation plays a key role in reaching zero-trust targets. A memo to agency heads in 2022 (or M-22-09, to give its official name) stressed the importance of moving beyond perimeter-based defenses to a zero-trust architecture that required continuous verification of users and devices. Crucially, it highlighted the need for tools capable of automating this continuous monitoring and streamlining complex processes without the need for constant human oversight.

The federally-funded Oak Ridge National Laboratory (ORNL) was among those that heeded the call. To meet the government’s zero-trust mandate, the research institute set out to optimize its security team — comprised of veterans, active duty personnel, reservists, and civilian security experts — through automation. 

Oak Ridge has over 6,000 employees worldwide and highly sensitive initiatives within its remit, making security foundational to its operations. By employing no-code tools, ORNL was able to increase the number of team members who could manage automation and reduce the mean time to resolution for security incidents — an especially important requirement, given that active-duty and reserve personnel were often deployed for months at a time. 

Automation also eliminated the need for specialist scripting knowledge to maintain ORNL’s complex tech stack, which had historically created bottlenecks. By linking together its disparate internal and external systems and enabling them to “talk” to each other, Oak Ridge was able to automate routine tasks and break ground on projects that were years in the making — all while transforming the organization’s evaluation and reporting capabilities.

Oak Ridge offers a prime example of how automation can help federal agencies transform their security posture while upholding the integrity of sensitive information. The importance of taking such steps was illustrated in a leak of classified national defense information on Discord in April 2023, which subsequently saw a 21-year-old U.S. Air National Guardsman indicted by a federal grand jury.

John Sherman, the Pentagon’s Chief Information Officer, commented that, had the U.S. Defense Department fully implemented a zero-trust strategy, it “sure as heck would’ve made it a lot more likely that we would’ve caught this and been able to prevent it.” 

As a former Intelligence Officer in the U.S. Air Force, I can speak to the huge potential of leveraging automated workflows when pursuing zero-trust goals. 

Directives like M-22-09, and guidance like CISA’s Zero Trust Maturity Model (ZTMM), underscore automation's indispensable role in achieving zero trust. Indeed, implementing zero trust with automation isn’t just a sound strategic movie: it’s essential. 

The dynamic nature of today’s threat landscape calls for a security stance that is both scalable and adaptable — something that automation delivers. Without the efficiency and rapid response capabilities of automation, organizations are more susceptible to breaches and will struggle to apply consistent security policies across all users and devices. This leaves them dangerously exposed. 

Challenges and Considerations of Implementing Zero Trust

As with any major architectural (and cultural) shift, moving to zero trust brings its own challenges. Even before reaching the implementation stage, understanding the broad and complex requirements of zero trust — which is not a single technology, but a comprehensive set of security practices — presents a major hurdle. The sprawling and often confusing market for zero-trust technologies also makes it difficult to find suitable tools that work together to provide comprehensive control and visibility. 

Likewise, integrating the technologies listed in CISA’s ZTMM requires a highly coordinated approach, something that’s especially challenging in organizations with limited resources and a siloed tech stack. As we see all too often in cybersecurity, zero-trust directives often come with little or no additional funding, meaning careful planning and prioritization are needed to ensure even marginal progress. There’s also a need to update legacy systems and align existing security procedures with zero-trust principles — often a huge undertaking in itself. 

As federal agencies design their zero-trust architectures, a few considerations should be front of mind. Perhaps most importantly, automation and security solutions should be scalable, compatible with existing infrastructure, and have the capacity to adapt to new threats. It’s also important to remember that zero trust isn’t just a technological shift: it also requires a shift in organizational culture that puts security, and the continuous assessment of security procedures, front-and-center.

Final Thoughts

The directive for zero trust is clear. As cyberattacks grow in severity and sophistication, it’s never been more important to safeguard national infrastructure and protect crucial scientific research. Federal agencies are at a critical junction in the journey towards zero trust. Automation can help them get there faster — and with fewer resources.