b'W Zero trust realizes What can agencies do now to begin implementing Zero Trust policiesand procedures? Sean Connelly: Its a long term path. Full disclosure, Im one of the authors of NIST Special Publication (SP) 800-207 on zerotrust architectures, and theres a migration path in that document. The first three items are not really technical. 1. Identify the differentstakeholders and roles thatthe agency needs to be were never going to supporting this.eliminate the risk.2. Identify the assets. Not only the assets that need to be secured byThats the reality ofzero trust, but what infrastructure will be used to help support theour world. Its about zero trust architecture itself. compartmentalization.3. Identify the processes Theres some bad actors themselves. What needs tobe controlled to work with some very slickthrough everything.capabilities, but if we After thats done, then I think agencies should form policies andslow them down, they determine the candidates. I thinkcan be stopped. its critical for agencies to move forward with some pilots first, before supporting more - State Department Officialenterprise applications. Thenideally once [agencies] havesuccess with those pilots, they should expand it to greater enterprise platforms. Steven Hernandez: I think SASE is going to be the fast path for most folks. However, theres a big warning with this: if you dont have identity credential and accessmanagement (ICAM) in place, your ICAM is not working well and you cant federate, or you cant get data in and out of your ICAM platform, start there. You must be able to have solid identity or it will be a mess down the road. The other part is aroundthat idea of data. Being able to collect data, have it in a platform whereby itsaccessiblehopefully in its native formatand[ensuring] its rapidly searchableGovernment Business Council Securing the Nations Network|Page 3'