This article originally appeared on Government Technology Insider.
It’s no secret that the U.S. federal government operates in one of the world’s most threatened IT environments. When evaluating today’s federal cybersecurity landscape, it’s obvious that government agencies face more than just the typical low-level script kiddies that most SMBs, corporations, and SLED organizations encounter. They must also protect their networks from other sophisticated threats that are unique to the federal government.
The largest cyber threats challenging the federal government today are nation-state-sponsored actors who are looking to execute destructive, advanced attacks on U.S. federal IT infrastructure. While agencies work tirelessly to safeguard their networks from these malicious cyber adversaries, they are also fighting the parallel battle of trying to secure an evolving IT environment that is only becoming more complex and complicated to defend.
Due to the massive wave of modernization investments that the federal government made during the COVID-19 pandemic, remote and hybrid work have become mainstays for agencies. As a result, their IT footprints now extend far beyond the office, opening the door for an exponential increase in potential attack vectors and network vulnerabilities that nation-state hackers are seeking to exploit.
Each remote connection, cloud solution, IoT device, and unpatched legacy system that links to a government network create a new, potential exposure that a malicious cyber actor can leverage to penetrate a federal IT environment. And, in general, it’s becoming a lot easier for actors to exploit government agency networks.
Because many of these hackers are providing their skills as a service, they have lowered the risk to themselves. Government agencies of any size – regardless if they’re federal or SLED organizations- can be vulnerable to Ransomware-as-a-Service or Command-and-Control-as-a-Service attacks if they have not achieved a mature and bolstered cybersecurity posture.
The zero trust mandate
One cybersecurity framework that the IT community has put forward as a leading model for a mature cyber defense strategy has been zero trust. A zero trust cybersecurity architecture is a methodology for how IT departments can design security, network access, and system configuration around the idea of always assuming a network or system has been compromised. And to gain access to segments of a federal agency network, one must consistently authenticate their identity to gain access to network segments they have been granted access to.
Last year, President Biden released a mandate that requires agencies to “achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024.” Although this was a tremendous victory for federal cybersecurity, the mandate provided little guidance on the steps agencies should take to actually achieve zero trust.
In November 2022, the U.S. Department of Defense’s Zero Trust Portfolio Management Office (ZTPMO) released a robust zero trust compliance and strategy document. This document outlines an incremental approach for defense agencies to utilize in order to achieve zero trust. The DoD understood that achieving a mature cybersecurity posture for the military would require a strategized methodology. This document is a highly recommended resource for federal civilian agencies that are looking for assistance on how to begin road mapping their zero trust journeys.
Upskilling and reskilling federal IT workforces
Inside the pages of the DoD Zero Trust Strategy Document, the ZTPMO specifically calls upon the DoD to embed workforce training in its zero trust implementation strategies. “Perhaps most importantly, [DoD components] must also address zero trust requirements within their staffing, training, and professional development processes,” the document reads.
Though professional development and training on zero trust are imperative, federal IT departments should expect to experience some growing pains in the process.
After all, federal agencies and their workforces have only had a few years to adjust to their digitally transformed operating environments. Nearly an entire workforce generation was hired during the era of traditional network infrastructures, where they learned how to configure and sustain their IT environments by physically touching and racking servers on-premises. It was a time when network perimeters and boundaries were more clearly defined and contained.
Now, IT departments are working in conditions that are far more complex. Federal agencies are beginning to wrap in technologies like cloud, virtualization, and containers into their overall network security. But as the technologies advance, there is still a considerable portion of the federal IT workforce whose legacy experience has not caught up to today’s digitally transformed environments. Though their knowledge is still valuable and applicable today, for federal cybersecurity teams to truly have a hardened line of defense for their IT infrastructures, they must level up from that traditional network and system administration experience and adapt to today’s more modern environment.
This challenge can be intimidating for many members of the federal IT workforce, because not only are they having to learn and adapt to next-generation technologies, but there is also an added pressure of learning how to secure them as well.
Here at Pluralsight, we have developed structured professional development courses for federal IT workforces that are facing this exact challenge. Through our ongoing education system, agencies are upskilling and reskilling themselves on the next-generation technologies and cybersecurity models that the government is looking to deploy across all federal agencies.
As the ZTPMO highlighted in its zero trust document, cybersecurity training must be embedded in agencies’ overall zero trust strategies in order to have a fully realized cybersecurity framework. Gone are the days of ad hoc training once or twice a year. Federal cybersecurity teams must prioritize the education of their workforces so that they can be prepared to take on any new threat that their agency may face.
