b'ViewpointsGovernance . . . is key to a successful long-term federal enterprise implementation of zero trust.Margaret Graves is a Senior Fellow with the IBM Center for The Business of Government. implementation. The nine priority recommendations, fromopportunity to rationalize all cyber reporting requirements, my perspective, fall into three categories: governance,avoiding any additional burden and ensuring that all standards, and shared services. measures are congruent. Finally, all this activity must be underpinned by best practice frameworks, maturity models Keys to Zero Trust and playbooks, and ultimately codified in National Institute of It is important to address governance at the outset, asStandards and Technology (NIST) standards.it is key to a successful long-term federal enterprise implementation of zero trust. The NSTAC draft report statesA Long-Term Visionthe need to establish a whole-of-government approach andEstablishing governance, standards, and shared services to manage implementation at an enterprise level, completewill focus us on the long-term vision, but agencies are with all the expected governance elements. Those elementsalready in the throes of implementing the short-term include, at a minimum, an enterprise program managementrequirements of zero trust. The DHS/CISA Zero Trust Maturity office (PMO), a reporting and accountability structure, aModel establishes pillars or areas of focus for zero trust unified plan, and oversight from appropriate stakeholders.implementations. Those pillars are identity, device, network/If this structure is not in place, we risk the real possibilityenvironment, application workload and data. of agencies pursuing individual transactional improvements without the benefit of a clear vision.In a conversation regarding this topic with Francis Rose on The Daily Scoop, I referred to the fact that there is already precedent for this enterprise model. The Continuous Diagnostics and Mitigation (CDM) program and its PMO were established within the Department of Homeland Security/CISA to ensure a set of cybersecurity improvements were met from a governmentwide perspective. The program was legislated by Congress, with appropriated centralized funding and a mandate to build an enterprise implementation plan inclusive of all agency activity. In addition, the CDM PMO executed a centralized acquisition strategy and established shared services for agencies to use. OMB and DHS held periodic progress reviews with agencies and reported to Congressional stakeholders as required. There is already a baseline of cyber reporting and what is added should indeed be minimal.Both the Federal Information Security Modernization Act (FISMA) and the Federal Information Technology Acquisition Reform Act (FITARA) have recently been the subject of legislative revisions, so there is a very real and timely 2022 IBM Center for The Business of Government 71'