Former Federal CIO on Why the White House Believes in Zero Trust


Tony Scott

Read Time

4 Minutes

Last Updated

Sep 27, 2021

table of contents
When it comes to cybersecurity, companies have persisted with point solutions and outdated architecture for too long. In many cases, governments have done the same, delaying systemic overhauls necessary to defend against increasingly sophisticated, increasingly common forms of attack.  It’s time for that to change. Incidents like the Colonial Pipeline ransomware attack and the SolarWinds breach have shown that isolated actors and sophisticated nation-states are more than capable of exploiting security weaknesses not only to wreak havoc on individual companies, but also to disrupt daily life by sparking panic and crippling infrastructure.  Modern supply chains have porous perimeters with entry points intruders can breach to intercept personal information and interrupt business operations. Attacks on the supply chain are becoming more frequent, and they can be expensive: not just in terms of business disruption, but also in terms of brand erosion, customer churn, and direct financial penalties.   These attacks will keep happening as long as they remain feasible and profitable. That’s why businesses and governments alike need to recognize security as a critical issue. In a timely move, President Biden recently signed an Executive Order on Improving the Nation’s Cybersecurity, spotlighting the need for government agencies and businesses to move rapidly to a Zero Trust architecture.  Here, we’ll explain the impacts of the Executive Order (EO) and highlight the takeaways for private companies. 

Understanding Zero Trust 

Zero Trust is a cybersecurity approach founded on the “never trust, always verify” rule. With a conventional security architecture, the primary goal is to protect the network location. In the Zero Trust model, the focus is on securing resources like business applications, workflows, and network accounts. In a Zero Trust architecture (ZTA), authentication and authorization of both subject and device are separate functions performed before each session.   Zero Trust patches the holes in your security infrastructure that bad actors can exploit to expose and steal sensitive data. A ZTA empowers companies to recognize and neutralize threats faster and more effectively.  At ColorTokens, we’ve built a Zero Trust platform from the ground up, giving customers the tools they need to protect their digital assets (from “crown jewels” to hybrid cloud workloads to legacy systems and endpoints) and putting them back in control of their security posture. Like other leaders in the InfoSec space, we’re encouraged to see the US government moving to modernize its cybersecurity defenses by improving incident detection and response, supply chain security, and overall threat resilience. 

What does the Executive Order do? 

The EO is a long-awaited step toward securing federal networks, improving information-sharing practices between public- and private-sector entities, and bolstering the nation’s ability to detect and respond to incidents when they occur.  While the EO can only legally mandate change for the federal government, private-sector companies would be wise to follow the government’s lead in implementing Zero Trust (if they haven’t already started moving in this direction). Taking proactive steps to augment security standards today helps mitigate the likelihood and impact of a breach tomorrow.  Here’s what the EO does: 

1. Removes barriers to sharing threat information: 

Biden’s order removes barriers to information-sharing and mandates that IT service providers share certain breach information with the government. IT providers can be unable or hesitant to share information about data breaches, whether for contractual reasons or to protect brand reputation. Ensuring an open line of communication between the government and private companies is an important step toward national cybersecurity. 

2. Modernizes and strengthens cybersecurity standards for the federal government: 

The EO gives the federal government a roadmap for implementing secure cloud services and Zero Trust architecture, and requires the consistent deployment of multi-factor authentication (MFA) and encryption. 

3. Improves supply chain security: 

The EO establishes baseline security standards for software used by the government. It mandates that developers have greater visibility into their software and make their security information available to the public. Additionally, the EO creates a pilot program to label software that was shipped securely, similar to how the Energy Star designates energy-efficient products and devices. 

4. Establishes a Cybersecurity Safety Review Board: 

The EO creates an oversight board to be co-chaired by experts from the government and the private sector. Modeled after the National Transportation Safety Board, which investigates events like airplane crashes, this board would convene in the wake of significant cybersecurity incidents to determine what went wrong and make specific recommendations for improvement.

5. Creates a response template: 

Recent breaches have revealed that the maturity and efficacy of response plans varies widely within the federal government. In answer, the EO establishes a standardized playbook for how the federal government should respond to these incidents. Private-sector companies can also use this template to guide their responses. 

6. Improve detection and response capabilities: 

By enabling an endpoint detection and response (EDR) system and improving information-sharing within the federal government, the EO improves the government’s ability to detect and respond to cyberattacks. 

7. Implement event log requirements: 

Poor event logging makes it harder for organizations to detect, mitigate, and prevent incidents, so the EO establishes event log requirements for the federal government. Private-sector companies looking to improve their security posture should implement consistent, robust event logging if they haven’t already. 

What’s the takeaway for private companies? 

With this expansive EO, the federal government is effectively throwing its weight behind the importance of Zero Trust. The order is explicitly intended to leverage the federal government’s purchasing potential to push developers to build security into all software from ideation to implementation. This means that if you’re building software or creating supply chains you want any office of the federal government to consider using, you must meet the threshold for Zero Trust security.   For companies that haven’t yet begun their journey to Zero Trust, Biden’s order will increase the pressure to get started. The good news is that implementing Zero Trust doesn’t have to be confusing or time-consuming, and it doesn’t have to throw a wrench into your core business operations.  ColorTokens’ Xtended ZeroTrust™ Platform is an infrastructure-agnostic, cloud-delivered platform that secures applications, endpoints, and workloads. Built on a Zero Trust foundation, our platform helps IT and security teams prevent attacks and streamline compliance.  To learn more, download our Definitive Guide to Zero Trust Security or get in touch to request a free demo.  Tony Scott, CEO of the TonyScottGroup, was the third federal CIO (2015-2018) in United States history. Tony is one of the world’s foremost security and IT experts. As US CIO, Tony created the government-wide response plan to the OPM incident, including the Cybersecurity Sprint and Implementation Plan (CSIP), which dramatically improved the federal government’s security posture. Prior to his tenure as US CIO, Scott was CIO at VMWare, CIO at Microsoft Corporation, CIO at The Walt Disney Company, and CTO at General Motors. Tony was inducted into CIO Magazine’s Hall of Fame in 2009.