Over the past year, Zero Trust Architecture (ZTA) has made its way to the top of numerous cybersecurity-related federal mandates, securing its place as the future standard of IT security in the federal space. The Office of Management and Budget (OMB) Memorandum M-22-09, released on Jan. 26, 2022, requires that federal agencies operate on a compliant ZTA basis by the end of government fiscal year 2024.
Unlike many federal mandates, which get executed and leave agencies to their own devices to meet the requirements, the government has been extremely involved and supportive in driving this goal forward and monitoring progress. Agencies were required to develop ZTA implementation plans, and those plans have been submitted to multiple government entities, which have dedicated cyber experts reviewing and revising them to ensure each agency’s plan will meet a consistent enterprise-wide baseline of ZTA expectations. Based on those plans, the government has also provided agencies with increases in their budget and established a Technology Modernization Fund (TMF) where they can apply for more funds, if needed. Given all of this support, it is not surprising to hear that federal agencies are becoming far more advanced in their security than their federal contractor counterparts.
Several federal mandates, including draft versions of the National Defense Authorization Act, have tried to extend these requirements to federal contractors but authorities have not been able to agree on how ZTA should be implemented at that level. Much of this conflict stems from how important cybersecurity truly is, the awareness that federal contractors are ill equipped to implement this and so may erroneously certify compliance, and how much support and involvement is therefore needed from the government to extend this on a nationwide basis effectively. Regardless, federal contractors should be prepared to see something soon. It may be a full-scale ZTA compliance requirement in solicitations and awards where contractors are left on their own to comply, a stopgap where federal contractors will have to operate on a government-provided ZTA compliant system, or a requirement that a cyber expert certified by the government in ZTA expertise, review and approve your security before an award. In any case, federal contractors should be focusing resources on cybersecurity so they don’t fall too far behind in the next steps to ZTA compliance.
For more information, please visit this link.
If you have questions about government contracting, please reach out to Tom Crutchfield for more information.[contact-form-7 404 "Not Found"]