The Chief Information Security Officer (CISO) Council and the Chief Data Officer (CDO) Council released a joint guide Thursday that aims to assist Federal agencies in operationalizing data security using a zero trust framework.
The first-of-its-kind document is a key deliverable from the White House’s 2022 memo that directs Federal agencies to migrate to zero trust security architectures.
The Office of Management and Budget (OMB) charged the Federal CDO Council and Federal CISO Council to convene a cross-agency working group of data and security experts to develop a data security guide for Federal agencies. More than 30 Federal agencies and departments answered the call to author the Federal Zero Trust Data Security Guide – which was released on Oct. 31 alongside a companion document that will assist practitioners in operationalizing data security using a zero trust framework.
“This guide represents insights from agency practitioners who are in the trenches working to implement zero trust and secure their organization’s data,” said Kirsten Dalboe, chair of the CDO Council and CDO at the Federal Energy Regulatory Commission. “We’re building a cooperative relationship between data and cyber to tackle this government-wide challenge and ultimately ensure the public’s data is secured.”
The joint guide recognizes that “data is a foundational pillar of effective zero trust implementation.”
“This is the first time that Federal security teams and data teams are coming together in this way to tackle a challenge of this magnitude,” said Steven Hernandez, co-chair of the CISO Council and CISO of the Education Department.
“Through the zero trust lens, focus is placed on securing the data itself, rather than the perimeter protecting it,” the two councils said.
The 42-page guide provides its audience of system owners and administrators, data managers, and cybersecurity engineers with detailed zero trust principles aimed at informing decision-making and aligning with agency missions.
Part of the guide outlines suggested actions that Federal agencies can take to protect their data, while the other sections center on identifying, defining, and categorizing data using specific criteria.
The guide closes with a handful of recommendations for best data practices that Feds can tailor to meet their agency’s mission needs, including cross-functional and collaborative communication, a strong relationship between data and security teams, continuous learning and education, adaptability, regular assessments, and “across-the-board buy-in.”
“The implementation of ZT principles is paramount for the Federal government to secure its data assets in an increasingly complex and contested cyber environment,” the CDO and CISO Councils wrote. “By adhering to the core tenets of zero trust – never trust, always verify – agencies can ensure that their data is categorized and safeguarded with the utmost precision.”
