The Department of Commerce (DOC or Department) Information Technology (IT) infrastructure consists of numerous independent networks, Trusted Internet Connections (TICs), information systems, remote field offices, mobile devices, and cloud services all managed by individual Bureaus. This complex and disparate infrastructure makes traditional, perimeter-based methods of providing network security insufficient in the modern threat environment. Therefore, the Department is engaging with all Bureaus on implementing a Zero Trust Architecture (ZTA) -- a security framework that reduces the risk of data breaches, prevents threats from moving laterally, and reduces a network's attack surface.

To achieve this in an effective way, the Department is establishing guidelines for the Department to achieve a ZTA. These will be aligned to the core capabilities and will include standards of performance that need to be met to serve as a baseline for the Department and individual Bureaus to work towards. In addition, since implementing ZTA is a large-scale and complex project, the Department is approaching the initiative as a long-term strategy with tactical milestones.

Zero Trust is built upon attribute-based access control (ABAC), which means it utilizes dynamic policies based on identities, applications, and devices which require additional contextual information, such as a user’s attributes, past behavior, and/or location. Just as any security framework, there are multiple concepts within Zero Trust. The Department is building its ZTA implementation around the following core principles taken from OMB Memoranda M-22-09, NIST Special Publication (SP) 800-207 and CISA’s Zero Trust Maturity Model:

• Take a Data-centric Approach – Automized data records or data sets must become the central resources to which an effective ZTA implementation is managing, enforcing, and monitoring access.
• Localize Security Boundaries as Much as Possible – Micro-segmentation of networks, systems, and applications allows for access decisions to be enforced as close to data and other key resources as possible making it more difficult for bad actors to move laterally throughout the network.
• Never Trust, Always Verify – Users and devices must be authenticated based on a contextual, risk-informed approach before a user is evaluated at a Policy Decision Point (PDP), which then evaluates user and device authentication (AuthN) and other attributes to determine authorization (AuthZ) based on dynamic application policies.
• Principles of Least Privilege and Functionality – Each application will be configured for only essential functionality; the application will restrict non-essential, unnecessary functions. Every DOC user will enter the network as a general user. Only when a user is authorized to obtain greater privileges (for example, to become an administrator) will that user be granted privileges higher than a general user, and those privileges will only be given for a limited time.
• End-to-end Encryption – When implemented, end-to-end encryption reduces the ability of attackers to eavesdrop on communication between applications.
• Data Encryption at Rest – When implemented, data at rest encryption prevents data from being visible in case of unauthorized access.
• Continuous Monitoring – While continuous monitoring already occurs in DOC’s Enterprise Security Operations Center (ESOC) and Bureau Security Operations Centers (SOC), the Department’s ZTA will integrate advanced data analytics gained through ZTA capabilities for increased visibility into the environment.