Implementing Zero Trust Across a Complex Multi-Agency Client

Challenge

Zero Trust is a paradigm shift that is more involved than simply deploying new security tools. A more dynamic security mindset requires a programmatic assessment of roles and responsibilities, technology, the culture, and systems management practices across the organization.

A major federal government multi-agency client faced challenges quickly adjusting to Zero Trust Cybersecurity Principles in response to the changing cybersecurity landscape, including OMB M-22-09 (Moving the U.S. Government Toward Zero Trust Cybersecurity Principles). Without a centralized Zero Trust Architecture (ZTA), the complex, multi-agency client faces many challenges:

• Stakeholders lacked a consistent understanding of ZTA principles
• Specific gaps were not prioritized or properly aligned to identify dependencies
• Responses were focused around simply deploying new security tools

Guidehouse is leading the client’s zero trust coordination team, has deployed the core technical solutions into production.

Solution

Guidehouse developed the agency-wide strategy using NIST SP 800-207 and the Cybersecurity and Infrastructure Security Agency Zero Trust pillars to measure maturity, identify strategic investments, and help our client make measurable improvements to determine what the organization can afford to do to make the highest impact in their Zero Trust journey.

Guidehouse completed the following through leading the zero trust coordination team:

Led a holistic review of current and future initiatives  — To assess the client’s alignment with OMB M-22-09. As the client had many efforts already underway aligned to Zero Trust, the team was able to use a risk-based approach to prioritize the closure of gaps and re-align priorities. Guidehouse assisted the client in drafting ZTA responses to OMB and developing the client’s Zero Trust Architecture Implementation Plan.

Established a Zero Trust coordination committee — Worked collaboratively with leadership and sub-components to educate stakeholders on ZTA principles, re-align priorities, identify key dependencies, pilot ZTA solutions, and guide agency offices to ZTA implementation.

Assisted in moving the client’s core ZTA solutions to production — Including a Zero Trust Broker, end point detection and response (EDR), and Identity Provider (IdP) solution. Together, these core solutions make up the backbone of the client’s ZTA.

Assisted in obtaining an ATO for ZTA — By aiding our client with its cross-solution design and testing to verify the desired ecosystem will enable Zero Trust principles and identify any breaks within the new architecture.

Impact

Our client is making measurable improvements to its security architecture and achieving M-22-09 objectives:

1. Migrated security architecture to cloud-based solutions
2. Tested integrated policies that establish secure network tunnels based on user and device parameters for authorized applications as the client continues to migrate to ZTA
3. Created training guides for administrators and general users to manage change