GSA plans to publish zero trust playbooks

General Services Administration is partnering with the Federal CIO Council on zero trust playbooks set for release in the coming months, featuring methods to take the conceptual security framework into the implementation phase, an official from the agency’s IT modernization office said this week. 

Kiran Balsa, deputy director of the IT modernization office of governmentwide policy at GSA, said the agency plans to publish approximately six playbooks around zero trust implementation methods, with some explaining the base capabilities required to establish a zero trust architecture, and others focusing on identity, devices, network applications and other areas.

"There's a lot there, and it can all be distilled down in simple terms," Balsa said at a Digital Government Institute event on Thursday. "That's what we're trying to do – and then provide actual guidance to agencies."

While agencies like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) published a wave of guidance around zero trust in recent years, including NIST's SP 800-207 and CISA's zero trust maturity model, Balsa suggested those materials lack concrete steps to implement agency-wide zero trust security measures like continuous verification, preventing lateral movement and automated context collection and response.

The CIO Council began leading a multi-agency effort earlier this year to develop the zero trust playbooks, and is partnering with GSA to issue the guidance across the federal government. 

Thomas Santucci, director of GSA's Data Center and Cloud Optimization Initiative Program Management Office, detailed the CIO Council's effort on zero trust at an FCW event in February, before the partnership with GSA was announced. 

Santucci said at the time that the council was spearheading a multi-agency effort to develop playbooks featuring "technically and organizationally oriented" methods for implementation.