Rising to CISA’s zero-trust challenge: What do government contractors need to know?

Example pattern for mobile
Example pattern for desktop


  • The US government released a memorandum outlining a federal “zero trust” security strategy, which could result in cyber overhauls in organizations large and small.
  • Zero-trust programs can affect every aspect of an organization — be ready to scrutinize your entire security architecture.
  • Zero trust takes time and planning, but is achievable and can bring a wealth of business benefits.

The US government’s recent memorandum outlining a federal “zero trust” security strategy — a critical step forward for national cybersecurity — poses major challenges for companies that contract with federal agencies.

To get to zero trust, companies and agencies will all need to redesign their digital architectures. This will be a daunting task for the behemoth, “technologically diverse” federal government, the January 26, 2022 memo states — but it could be just as difficult for private enterprise.

And federal contractors aren’t the only entities needing to think now about compliance. The memo’s effects will almost certainly ripple to state and local governments. Their third- and fourth-party contractors may need to comply, too.

The trickle-down effects of this sweeping mandate, from government to private sector, could result in cyber overhauls across the board, in organizations large and small.

No “one-and-done” solution

Zero trust isn’t a software in itself, but a strategy. Meeting the mandate will mean using a number of approaches, techniques and software types.

Integrating what you need to use with what you’re already using can be difficult and time consuming. The challenge only grows for those working piecemeal, without an overarching plan for using software and platforms that work together. But zero trust is worth your effort.

Zero trust’s many rewards extend beyond security. It gives your people and technologies a much better view into your networks so you can detect breaches and breach attempts more quickly and accurately.

And when done properly, zero trust can be very user friendly. Even as it locks out those who don’t measure up, it lets authenticated users do their work with little or no interruption, keeping business humming along, faster and more smoothly than before.

The good news: Zero trust is achievable — if you’re willing to do the brain work and leg work needed to get you there.

Five pillars, many moving parts

Some companies already claim to have zero-trust programs in place — but in our experience, few organizations actually do. Why? Zero trust is complex. It takes time and planning.

As a strategy, zero trust is greater than the sum of its many parts, and stands to affect every aspect of any organization. You may need to scrutinize your entire security architecture before proceeding.

Verification is the name of the zero-trust game. It means every user must authenticate not just once, but many times; all data gets encrypted; computing devices on the network get continuous monitoring and stringent scrutiny; and more.

Paradoxically, a good zero-trust program not only means “trust no one” — it also means you don’t need to trust. The gatekeepers you’ve placed throughout your systems ensure that your users are who they say they are.

The memo’s five principles of zero trust

The federal memorandum’s mandates rest on five principles, in line with the five “pillars” in the US Cybersecurity and Infrastructure Security Agency (CISA)’s zero-trust maturity model — applicable to federal agencies and the organizations contracting with them.

1. Identity: Your enterprise manages user identities for the applications your people use in their work. Phishing-resistant multi-factor authentication (MFA) helps protect from online attacks.

2. Devices: An inventory lists every device in your network and you can prevent, detect and respond to incidents on those devices.

3. Networks: Your systems encrypt all domain name system (DNS) requests and HTTP traffic. You have a plan to isolate sensitive areas of your network (segmentation) so they aren’t accessible if a breach occurs.

4. Applications and workloads: You treat all applications as internet-connected, routinely test them and welcome external vulnerability reports.

5. Data: You’ve begun categorizing your data. Your cloud security services monitor access to your sensitive data. You use enterprise-wide logging and information sharing.

Beyond the mandate: business benefits

In the long run, zero trust can enable your enterprise to reap rewards that go beyond security.

One international security firm saved its employees hundreds of thousands of minutes in virtual private network (VPN) authentication time by adopting a zero-trust security program. No longer having to manually authenticate every time they log on, workers at this company have saved more than 307,000 minutes — 5,000 hours — per month (61,000 hours a year) for potentially tens of millions of dollars in savings.

Zero trust can bring a wealth of business benefits including:

  • Greater operational and digital resilience

  • Lower business continuity and disaster recovery costs

  • A more streamlined security budget

  • Better, more efficient compliance

  • Easier-to-use company websites and applications 

  • Increased confidence from your CEO and board in how well you can manage threats

Getting to zero in four steps

Meeting the zero-trust mandate entails reconfiguring and re-architecting your security infrastructure. Getting there takes planning and foresight, a long view and the patience to reach your goals in increments. Here’s the four-step approach PwC recommends:

1. Define ecosystem components. The system of interlocking parts making up zero trust includes:

• Identity and access management (IAM) to allow only authorized people access to specific sites, systems or information.

• Software-defined access (SDA) to authenticate devices and assess their security and compliance before allowing them on a network, and to enforce segmentation rules.

• Segmentation, starting with application-layer inspection that classifies traffic according to the program in use, identifying even evasive, dynamic or encapsulated applications.

• Endpoint security, enabling you to manage and assess your network devices and determine the level of access they should have.

• Software-defined perimeter/networking to improve security and reduce costs.

• Cloud networking, starting with a reference architecture, then adding scalable cloud services that can restrict and proxy user access.

• Governance and management that entails designing the security strategy and plan, defining the governance model and establishing a governance team.

2. Identify areas of concern. Assess the state of your security infrastructure to find and highlight components that need improvement, and decide how to approach each.

3. Plan to mature your program holistically and incrementally. Some components may mature quickly; others will need more time to put fully into place. The order depends on your organization’s priorities.

4. Create your detailed, step-by-step plan. Develop a plan of action that can take your enterprise architecture to zero-trust security.

The Microsoft advantage

Which security software and services are you using? Which ones do you need? How well will these integrate? If they don’t mesh, your developers may have to write application programming interfaces (APIs) tailored to each solution — a time-consuming and complex process.

We often point zero-trust-curious customers to Microsoft, for a number of reasons. Microsoft Identity, which tops the CISA and White House memorandum’s five-pillars list, forms the foundation of zero trust — and many organizations already use Active Directory or Azure AD to manage identities. In fact, you may already have access to the Microsoft products you need via your E3 or F5 subscriptions.

Slow and steady wins the race

As with any monumental change, getting to zero trust can feel less daunting if you take small steps toward your goal. Each success can bolster your confidence, as well.

In the end, you’ll be well positioned to qualify for those government contracts. And your state-of-the-art security architecture can better protect your information and that of your customers and clients.

Reimagine Risk. Unlock Opportunity.

PwC and Microsoft: Simplify your cybersecurity strategy

Be cyber-ready

Learn more


Brian Plourde

Principal, Cybersecurity, Privacy and Forensics, PwC United States


David Ames

Principal, Cyber, Risk & Regulatory, PwC United States


Next and previous component will go here

Follow us