Federal agencies are starting to back a “zero trust” approach to technology in contracting.
The Defense Department is expanding its cybersecurity features by adding and restructuring technologies to implement a zero-trust design across its networks. Agencies haven’t invested much in the framework to date, but plans and solicitations indicate that the market for zero-trust technologies will grow.
Zero trust is an approach that doesn’t automatically grant trust to a user based solely on their physical or network location, which is important in a network that includes remote users and cloud-based resources. Rather than allowing users access to everything, zero trust grants users the minimal access required to fulfill their duties. This emphasizes protecting individual resources rather than the network itself.
Zero trust isn’t a specific technology. It’s a framework that requires several products, including identity credentialing and access management, continuous monitoring, data security and automation.
The Homeland Security Department’s Continuous Diagnostics and Mitigation and DOD’s Comply-to-Connect programs — probably the best examples of federal programs in the process of implementing zero trust — have many of the components.
Agencies won’t have to buy all new technologies. Instead, they will need updated IT and help implementing a framework and restructuring current tech. Agencies have spent billions on different components, like continuous diagnostics and mitigation and machine learning. And although it’s likely that additional zero-trust obligations have been part of larger cybersecurity and IT programs, agencies have spent only about $500,000 on specific zero-trust solutions since 2017, according to a Bloomberg Government search.
Agencies are thinking about how they can start.
The National Institute of Standards and Technology released a second draft of its zero-trust architecture publication in February. The Defense Information Systems Agency is leading a workshop to come up with best practices for defense agencies to upgrade their systems and approaches to meet zero-trust goals. It plans to release an initial model this year. The Small Business Administration plans to use the framework as a next step in its cybersecurity strategy, and DHS and the Marine Corps are planning to expand its use.
Some agencies have taken it a step further. There are currently 28 open solicitations that mention zero trust.
Plans and solicitations indicate agencies are taking zero trust more seriously. For contractors, that would mean modern IT purchases to fill any gaps at agencies, along with buying services to help with implementation. Expect to see “zero trust” in increasing numbers of solicitations. Since agencies have many of the products needed, they are likely to incorporate zero trust into their strategies and solicitations rather than making it the focus.
This may happen quickly. Agencies were exploring and implementing zero trust already, especially in the wake of many tools and data being moved to the cloud prior to March, but with Covid-19 forcing many employees to work remotely, agencies have had to speed up cybersecurity for workers accessing government networks and data from home.
Bloomberg Government’s Contracts Intelligence Tool can help reveal contractors that are potentially positioned to help agencies develop zero-trust architectures, including those with experience providing continuous monitoring solutions such as Booz Allen Hamilton Holding Corp., ManTech International Corp. and CGI Inc., as well as smaller companies such as Sevatech Inc., Foxhole Technology Inc. and Technica Corp.
To contact the analyst on this story: Laura Criste in Salt Lake City, Utah at firstname.lastname@example.org