An official at the Cybersecurity and Infrastructure Security Agency told a White House industry advisory panel that the agency was working on guidance for federal agencies around how best to adopt “Zero Trust” security strategies.
While appearing at a National Security Telecommunications Advisory Council meeting Wednesday, Trent Frazier, CISA’s deputy assistant director of the stakeholder engagement division, told the panel that the agency was “putting the final touches” on what he called a “technical roadmap” for agencies to use as they translate a cybersecurity executive order issued last year mandating a move to Zero Trust security architecture into on the ground cybersecurity operations.
“CISA was either a part of or responsible for 35 tasks identified within the executive order and we continue to make progress in completing those tasks,” Frazier said. “Part of this effort is the Zero Trust maturity model…a practical and technical roadmap that they can use as they transition towards zero trust options.”
Frazier did not provide a specific date for the document’s release or whether it went beyond technical guidance. A CISA press official acknowledged questions sent by SC Media but has not responded at press time.
The Biden administration’s executive order kicked off a cascading series of tasks for federal agencies like CISA and the Office of Management and Budget around Zero Trust, with OMB issuing specific marching orders to agencies that were finalized in January.
Those plans include lofty goals to identify every device connected to civilian federal networks, implement multi-factor authentication dramatically boost logging capabilities and implement Endpoint Detection and Response technologies. It would also mandate constant identity verification, encryption on most federal devices, and continually testing of public and private facing software applications.
Referencing rising tensions as the result of an ongoing invasion of Ukraine by Russian forces, Frazier said the President’s strategy would leave agencies better prepared to protect themselves and assist organizations in the public and private sector who may get caught up in any cyber spillover from the conflict.
While acknowledging that there are no current credible threats, Frazier said CISA was focusing its outreach to businesses on four key tenets, including “ensuring organizations are taking steps to reduce the likelihood of a damaging cyber intrusion, taking appropriate measures to quickly detect potential intrusions and, where possible, report them to the appropriate authorities both within CISA and within the FBI…ensuring that organizations are prepared to respond should an intrusion occur, and finally maximizing their resilience should they be the unfortunate victim of a destructive cyber incident.”
The fight to define 'Zero Trust'
At the same meeting, NSTAC members unanimously approved a report that praised Biden’s plan for moving agencies to a Zero Trust posture even as it made 20 recommendations for improving it and described the plan as “deliberately restrained in scope to cover directed actions over just a 2½-year period" that could result in an “incomplete experiment.”
Mark McLaughlin, co-chair of the Zero Trust identity management subcommittee, said the elevation of cybersecurity and the embrace of the concept within the Biden administration has been a positive development both within the federal enterprise and beyond.
“We believe the sustained commitment to its principles can be transformative for cybersecurity and the importance of Zero Trust being mentioned in high level policy documents, including the Presidential executive order, cannot be overstated in terms of its impact in awareness and adoption of Zero Trust within board rooms and information security teams across the nation,” McLaughlin said.
The CISA document will be geared towards assisting agency CIOs and CISOs as they wade through implementation of a security concept that is viewed as promising in policy circles but is still somewhat polarizing within the cybersecurity community.
More a philosophy of security than a specific technology or product, Zero Trust proponents argue that the best way for an organization to protect its systems and data is to treat every asset and employee as if they are potentially compromised. It deemphasizes traditional network security boundaries like firewalls in favor of things like strict access policies, constant identity checks and a focus on protecting and segregating high value data from the rest of the broader network.
Detractors have argued that the Zero Trust label -- which has gained a fair amount of traction within corporate board rooms and other echelons of power where cybersecurity investments have traditionally been ignored – merely represents a repackaging of existing security ideas and that it has become a buzzword for the cybersecurity technology industry, which has exploited the ambiguity around the term’s meaning to slap it on the side of countless products regardless of how they may ultimately relate.