Search on “federal contracts” and “Zero Trust” these days and you’ll find federal agencies talking about their moves to implement this important cybersecurity standard.  Offerings from government contractors to help with that implementation are also easy to find.  What about contractors, themselves, though?  Contractors frequently handle sensitive information and work side-by-side with federal employees.  Even commercial item contractors can do work in sensitive or classified offices.  There are thousands of commercial item and service contractors doing business with federal agencies today, including many small businesses.  Ask one about Zero Trust and you’re just as likely to get a response involving the Friday night plans for a teenager as an acknowledgement of a federal cyber issue.   The GSA website defines Zero Trust as “an approach to cybersecurity that goes beyond “trust but verify” and treats all networks and traffic as potential threats.”  It also lists multiple components for Zero Trust Architecture (ZTA).  These can serve as guidelines for what contractor systems should look like and include such features as:

• Authenticating, monitoring, and validating user identities and trustworthiness.
• Identifying, monitoring, and managing devices and other endpoints on a network.
• Controlling and managing access to and data flows within networks.

Some federal agencies have already started including Zero Trust requirements in their contracts.  Contractors that have the capability may have an advantage over those that don’t.  All contractors, though, need to be aware of the federal move to Zero Trust and what it means for their ability to continue doing certain types of federal business.  No company should certify to this, or any other standard, without understanding what is required of them.  Check out the GSA Zero Trust page for more.