Busting Through the Myths Surrounding Zero Trust

CISA Cybersecurity ZeroTrust

By Danny Toler and Sara Mosley

Danny and Sara Biographies

Executive Order (EO) 14028 mandated that federal agencies develop and execute a Zero Trust cybersecurity plan. In response, the Cybersecurity and Infrastructure Security Agency (CISA) recently published its Zero Trust Maturity Model v2.0 to help agencies assess their progress along the path to Zero Trust.

CISA’s maturity model is an important step forward in helping agencies move toward Zero Trust, but it leaves the method of implementation up to the agencies. Despite all the buzz on the topic, several myths surrounding Zero Trust are still circulating – even among CIOs.

To set the record straight, we “bust through” the most common myths we have heard to date.

Myth 1: Zero Trust is a tool.

Symbolic depiction

While tools are absolutely necessary for creating a Zero Trust environment, no single tool will get you there. In a Zero Trust security model, the focus is on data protection. There are many methods for protecting data in transit and at rest, including encryption and limiting access, for example. However, these methods cannot be delivered by a single product or tool; they require a change in your agency’s security architecture design and capabilities. To be successful, you must have contextual understanding of your data usage and processes. This understanding should inform your security decisions, allowing you to implement appropriate controls and detect anomalies or suspicious activity throughout the environment.

Myth 2: I need to throw out everything I have and start over to achieve Zero Trust.

Symbolic depiction

There’s a general misunderstanding that Zero Trust can only be achieved by a complete overhaul of existing IT infrastructure and applications. While it’s true that cloud environments and newer identity management tools offer extensive security features, you may already have many of these capabilities in-house. This is why the first step in establishing a Zero Trust environment is to identify the tools, operational practices, and countermeasures already in place. Once you’ve established this baseline, you can map it to CISA’s maturity model to see which of your current processes and capabilities can be leveraged and where you may need to make further adjustments as you transition to a Zero Trust environment.

Myth 3: Zero Trust will break my agency’s operations.

Symbolic depiction

With proper preparation and planning, you can successfully implement Zero Trust without disrupting IT and cybersecurity operations. We recommend agencies plan the transition to a Zero Trust security model by walking through use cases or engaging in more complex scenario-driven tabletop exercises. Real-world approaches such as these will allow you to identify and prioritize technical gaps, training needs, cultural impediments, and shifts in operational procedures. Agencies should carefully consider the technical skills needed for both staff and contractors to ensure that future hires are adequately prepared to implement and maintain Zero Trust best practices.

Myth 4: Zero Trust is all about complying with the Cyber EO.

Focusing on compliance misses the point of the Executive Order (EO). The reason for the order is not to bureaucratically measure and track agencies. The Administration recognized the need to shift agencies’ cybersecurity frameworks and practices to respond to ever-evolving threats. The “old way” of providing network protection has proven increasingly ineffective, especially as work is no longer limited by geography, and the need to communicate across silos has become increasingly urgent. With this mandate, the Administration acknowledges this reality and embraces Zero Trust as the path for the future. The EO is concerned with protecting the nation’s data and IT operations across the federal government, and mandates like this one are providing a path to accelerated action and underpinning future investment decisions.

Myth 5: Zero Trust is all about identity management.

Symbolic depiction

No single pillar will get you to Zero Trust. Protecting only your network will not do it. Focusing only on data will not do it. Even advanced identity and access management tools will not do it. Achieving a mature Zero Trust environment requires that you implement best practice measures across ALL the pillars defined in CISA’s maturity model and orchestrate activities between pillars.

Each pillar in the Zero Trust Maturity Model serves a specific purpose and contributes to overall security posture. Pillar integration ensures that different security measures and controls work together seamlessly to create a robust and cohesive security architecture. This allows you to address different attack vectors comprehensively. For example, while identity and access management (IAM) functions focus on verifying and authenticating users and devices, network security emphasizes micro-segmentation of each application workload or environment, as well as traffic flow control. Data security, on the other hand, identifies and categorizes sensitive information to ensure appropriate security controls are applied. The integration of these pillars ensures a layered defense designed to leave no gaps for attackers to exploit.

Focusing on a single pillar, then proceeding to the next pillar may improve protection, but incrementally implementing and orchestrating Zero Trust principles across all pillars allows you to achieve quicker, more robust protection and will increase your return on investment over time.

Myth 6: Zero Trust is impossible to achieve.

Symbolic depiction

Most agencies’ IT organizations view the transition to Zero Trust to be about the enterprise, taking an “all or nothing” approach. In a Zero Trust security model, the categorization and type of data determines the protection it needs, hence, it should not be treated as a “one-size-fits all” enterprise approach. Instead, cybersecurity leaders should consider breaking their enterprise down into smaller “protect surfaces” that allow for an incremental approach to transitioning to Zero Trust.

By integrating security across CISA’s five pillars: identity, devices, networks, data, and applications and workloads, agencies will achieve a unified defense posture capable of thwarting advanced threats – whether they are internal or external.


Zero Trust

Accelerate Your Zero Trust Journey 

Acuity provides several offerings that can be scaled to fit your needs:

Zero Trust Readiness Assessment

We begin by baselining your agency’s current Zero Trust posture and existing technology. Our baseline highlights gaps to be closed to meet regulatory requirements and position for Zero Trust maturity. We collaborate closely with agency counterparts to gather needed documentation, perform our assessment with our expert team, and provide an Agency Roadmap that includes highlighted, prioritized gaps and recommended actions based on critical mission demands.

Tailored Tabletop Exercises

Using your Agency Roadmap, we provide a holistic view of the organizational, operational, procedural, talent, and other changes needed to make progress along the path to Zero Trust. These exercises are tailored to the specific needs of the agency and allow all stakeholders to have a fuller understanding of their roles and the impact that integrated Zero Trust capabilities will have on avoiding or mitigating potential security incidents.

Zero Trust Implementation Services

Acuity’s Innovation Lab is developing a suite of capabilities to support known Zero Trust use cases that meet federal requirements. Our risk-based approach is built on the CISA Zero Trust Maturity Model v2.0.

ZT Subject Matter Experts – On Call

Acuity offers subject matter expert consultation services for federal agencies who are interested in advisory, planning and/or review sessions in support of Zero Trust. For more information, or to request a meeting, please contact:

© Acuity, Inc.