28 March 2022
Zero trust is now a central cybersecurity concept at the intersection of Western governments’ national security policies and private sector digital security practices. Though the idea had been slowly developing over the past half decade, it burst into public prominence and executive-level corporate discussions in May 2021 with the release of Executive Order 14208. The Biden Administration issued EO 14208 to improve the country’s cybersecurity posture across commercial and government entities alike, particularly in the network security domain, by outlining a unified federal cross-sector strategy for the first time. Crucially, EO 14208 created massive market opportunities for innovative cybersecurity startups by mandating the adoption of zero trust standards for all federal agencies, federal contractors, and contractors’ partners.
The speed at which zero trust transitioned from abstract concept to codification in government regulation was startling. Government regulations rarely move quickly, especially in the technology sphere, yet EO 14208 was released only eight short months after the publication of the U.S. Department of Commerce National Institute of Standards and Technology’s (NIST’s) SP 800-207. This relatively rapid process demonstrates an unusual degree of alignment between regulatory and academic stakeholders, particularly as cybersecurity policy has long been critiqued as a critical national security field without a unifying federal strategy. While the order was certainly not equal to legislation, it nonetheless represented a critical step in codifying government cybersecurity policy and providing guidance to the private sector in a critical national security domain.
EO 14208 outlined multiple steps and lines of effort to update, align, and operationalize national cybersecurity; four key points are of particular relevance to cybersecurity startup founders, the venture capital industry, and the general business community:
- A call for direct partnerships between federal agencies and the private sector, including both cybersecurity companies providing products and end-user organizations protecting data.
- A mandate to adopt zero trust architecture (ZTA) across all federal agencies.
- A timeline to update and implement software supply chain security measures across the federal government and among its contractors.
- The establishment of boards and advisory committees to ensure the implementation of cybersecurity efforts and improvement iterations on best practices and standards.
Combined, these pillars establish priorities and methods for public-private sector collaboration, as well as guidance for emerging cybersecurity startups and venture capital firms on how the U.S. federal government will direct spending efforts. Within this context, two elements are crucially important. The first is that all four key focuses are rooted in, and often explicitly require, ZTA. The second is that ZTA will not only be mandated for federal agencies, but will also be required for federal contractors and partners (i.e., software supply chain security). This requirement creates an extensive downstream ripple effect, as not only companies that work directly with the U.S. federal government – accounting for over $554 billion in contracts in FY2020 – will need to adopt ZTA, but also those that work with direct contractors. The FY2022 federal IT budget is $82.1 billion alone, requiring significant additional spend to secure according to ZTA standards and hinting at the much larger contractor and B2G ecosystem market opportunity. The upshot is that zero trust presents ample room for opportunity growth as the concept evolves and refines.
Implementing zero trust in network architecture requires an understanding of its concepts more than a focus on a prescriptive solution. ZTA will continue to evolve as cybersecurity companies seek to adapt products and services and end user organizations standardize cyber practices in response to EO 14208. The basis of ZTA, in line with NIST 800-207, is that continuous user authentication, authorization, and validation are necessary to grant and maintain access to protected resources, rather than accepting an assumption that static, perimeter-focused security networks can be trusted as secure. In adopting ZTA, organizations abandon the dangerous belief that security perimeters can be trusted, assuming that their systems have already been infiltrated. The leading industry analysis firm Forrester stresses that zero trust is not in itself a solitary product or platform; it is instead a framework to guide entities’ cybersecurity postures and strategies around the concept of “never trust, always verify” and “assuming breach.” Utilizing a zero trust framework, security teams must adopt security models and enabling products based on workloads, data, and identity awareness.,
The U.S. government’s focus on ZTA, and its codification in EO 14208, generates momentum for innovative startups that are able to shape the industry’s future while simultaneously aligning entrepreneurial efforts behind guiding principles. The ZTA framework offers significant commercial potential for new technologies and products as many cybersecurity incumbents compete to acquire zero trust-associated startups. As the concept evolves, opportunities will develop for entrepreneurs to create new solutions that focus on each element of zero trust, as well as product suites that better enable collaboration across and within commercial enterprises and government agencies alike.
- Biden, Joseph R. Executive Order on Improving the Nation’s Cybersecurity. 12 May 2021.
- O’Connor, Nuala. “Reforming the U.S. Approach to Data Protection and Privacy,” Digital and Cyberspace Policy Program, Center on Foreign Relations. 30 January 2018.
- Office of the Chief Data Officer at the Bureau of the Fiscal Service, U.S. Department of the Treasury. “Contract Federal Explorer,” Data Lab, USAspending.gov.
- General Services Administration. IT Portfolio Dashboard. Accessed 24 March 2022.
- Rose, Mitchell, and Connelly. SP 800-207: Zero Trust Architecture. U.S. Department of Commerce National Institute of Standards and Technology. August 2020.
- Turner, Steve. “Zero Trust Is Not A Security Solution; It’s A Strategy,” Forrester. 18 February 2021.
- Cunningham, Chase. “A Look Back At Zero Trust; Never Trust, Always Verify,” Forrester. 24 August 2020.