Skip to Content
Skip to Content
Public Sector

4 Ways To Prepare for the Government’s Zero Trust Architecture Mandate

President Biden’s executive order that “all federal agencies and executive departments [must] move toward a zero trust architecture to strengthen defenses against … cyber threats” means your agency should act now.

Open office of a public sector, government building where citizens are in chairs, interacting with unseen employees: zero trust architecture
Unwinding legacy security processes and changing strategies is not an easy task. However, the benefits can outweigh the challenges. [ariadna de raadt/Shutterstock]

Many traditional IT security strategies, such as VPNs and firewalls, became essential over the last few years due to the increase in remote work. These cybersecurity strategies create a perimeter around the network that enables authenticated users and devices to traverse the network and access resources with ease. However, relying solely on the perimeter approach is becoming less effective, less efficient, and more dangerous for organizations of all kinds.

Now, remote work is at its peak, and many assets are in the cloud. Remote workers need secure remote access to their applications, data, and services. As guidance on cybersecurity continues to develop in the digital world, the risk of theft of assets and identities also increases. Traditional strategies for security may no longer be effective in preventing more evolved cyber attacks.

Government cybersecurity: Perimeter defense is no longer enough

New demands on IT environments are exacerbating the need for increasing cybersecurity maturity. As government workers adopt hybrid working environments, cyber threat risk increases. Likewise, inter-agency (G2G) and government-to-business (G2B) collaboration introduces new cybersecurity risks.

The frequency, cost, and impact of cyberthreat actions are increasing. Cyber-criminal activity can occur at all levels of government. But, government organizations now see cyber threat actors shifting their focus to smaller agencies.

Governments require powerful network security — and better remote access solutions than legacy VPN solutions. Increased volume and scalability demands are leading governments down other paths. Enter zero trust architecture.

The public sector and zero trust architecture: Where to begin

Unwinding legacy security processes and changing strategies is not an easy task. However, the benefits can outweigh the challenges. Government agencies looking to implement zero trust should start with education and a step-by-step process.

1. Talk with your IT team about zero trust architecture

First, learn the basics about zero trust and cybersecurity best practices. Understand the zero trust framework, why it is a best practice, and how you can start the conversation with your IT team.

What is zero trust?

Zero trust is a new framework of cybersecurity that helps protect environments from the inside. If someone accesses one aspect of the network, they will not have the ability to move freely inside it. This cybersecurity concept assumes no user, app, service, or device is to be trusted. This strategy also identifies atypical behavior, including incidents and breaches that include attempted access to restricted data or downloads of large amounts of data at unusual times.

The National Institute of Standards and Technology (NIST) established guidelines for agencies and other organizations to migrate toward zero trust architectures. Trust to entities is granted through verifying the user and the apps, services, and data users can access.

What are the threats that zero trust protects against?

There are many types of security risks. Some exist solely in the physical realm, like “dumpster diving,” such as bad actors collecting sensitive data from the recycling or trash. Many threat vectors exist in the cyber realm, too. Take malware, for example. Malware is malicious software intended to access, damage, or control a device or network. Cyber threat actors often combine malware with phishing, which is attempting to acquire sensitive information, like PII, credit card information, or user credentials by claiming to be a trusted entity.

Ransomware is also on the rise. Ransomware is malicious software that blocks access to a system by locking the data. And then, cyber threat actors request a large sum of money to allow access again). Ransomware attacks can bring agency operations to a halt, especially if there aren’t sufficient backups and disaster recovery plans in place.

2. Understand why zero trust is important — right now

Targeted malware and ransomware threats, phishing attempts, data breaches: these threats are all over the news. These threats do not just affect the private sector; they also impact the public sector. The US government recognizes this growing threat and is taking action.

Recent legislation is earmarking funds for state and local agencies to uplevel cybersecurity. So much so that President Biden issued a January 2022 Executive Order mandating “all federal agencies and executive departments to immediately move toward a zero trust architecture to strengthen defenses against increasingly sophisticated cyber threats.” The Infrastructure Investment and Jobs Act (IIJA) signed in November 2021 allocates $1 billion for state and local governments to strengthen cybersecurity for their IT systems. FedRAMP, a U.S. government program that promotes the adoption of secure cloud services, is preparing for the new zero trust strategy to assist and prepare agencies by working with cloud platform providers. Additionally, Transportation Command will implement a zero trust security model on its classified networks in the coming months.

3. Create a checklist of questions to map your zero trust architecture

You now know the answer to the “Why zero trust?” question. Next, start to map out your plan to get there with the rest of the “W” questions: who, what, when, where. Help your IT partners understand the wants and needs behind your team’s use of information systems. With these answers, you can partner with your IT team to map out an effective zero trust architecture plan that is best for everyone.

  • Who is using the network (internal/external users)?
  • Who on my team needs what information and when? Who needs special privileges? What are they?
  • What is connected? What devices, apps, and services are my team/department/agency using?
  • What is happening on my network (traffic patterns and messaging, working hours, etc.)?
  • When will my team/users access the system/services?
  • Where will my team/users be when accessing the system/services (onsite, remote, via VPN, etc.)?

4. Educate your organization about the importance of data security

Multifactor authentication (MFA) is a critical component of zero trust architecture. However, these integrated steps can be tiresome for employees, leading to “security fatigue,” where users have to navigate so many authentication events that it can negatively impact employee productivity.

Ensure you — and your employees — understand the importance of data security and why zero trust security policies, like multifactor authentication, are in place.

  • Ask what education is available to help employees identify potential phishing attacks and other cyber threats.
  • Discuss with your IT team what makes up “suspicious behavior”. (e.g., holidays/weekends and malicious employees).
  • Determine how to get operational if service is denied due to zero trust policies.
  • Define how you will prepare for cyberattacks, such as prevention and monitoring, crisis management, and disaster recovery plans.

Zero trust: The foundation of building trust in the public sector

Attacks and attackers are getting more sophisticated every day, and our team continuously innovates to stay ahead of our future threat landscape. We build defense-in-depth into all our systems with a layered approach of technology, processes, and people. And we practice what we preach. Which is why, effective February 1, 2022, Salesforce requires all customers to use MFA when accessing Salesforce products. MFA is one of the easiest, most effective tools for enhancing login security, and safeguarding your business and data against security threats.


Matt Goodrich spent a decade in government developing, launching, and managing FedRAMP, the first government-wide cloud security program. As a Principal Solutions Engineer and Security Specialist at Salesforce, Matt helps government organizations innovative.

More by Matt

Related Stories

Astro

Get the latest stories from The 360 Blog, every week.

Get the latest stories from The 360 Blog, every week.

Enter a valid e-mail address
Select your Country
Select a state
Please read and agree to the Master Subscription Agreement

Yes, I would like to receive the Salesforce Weekly Brief as well as marketing communications regarding Salesforce products, services, and events. I can unsubscribe at any time.

Salesforce values your privacy. To learn more, visit our Privacy Statement.