The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security is putting the final touches on several guidance documents to help ease the transition to a zero trust cybersecurity environment.
The entire goal of this effort to move security away from the network and to the data and application layers.
John Simms, the deputy branch chief of the Cybersecurity Assurance Branch in CISA, said the documents and other efforts are helping agencies shift their cyber thinking away from the network and closer to the data.
“When we look at cloud and we look at how we’re going to facilitate zero trust into the future, we’ve got to fundamentally shift our thinking away from that network centric base of cybersecurity and visibility, and look at how we can support it in a risk-based approach,” Simms said during a panel sponsored by ATARC in November. “We really need to focus zero trust and where it really is going to help us change the dynamic and federal cybersecurity.”
Simms said CISA pushed out the documents within 90 days of the cybersecurity executive order President Joe Biden signed in May and that forced them to reset some expectations about what zero trust really means to agencies. CISA also had to change the services they provide to agencies to emphasize the concepts of zero trust at the application and data layers.
“One of the other important things that we’ve been doing is working with an agency on looking at how zero trust maps to NIST Special Publication 800-53 because I think there’s a pretty significant Delta there when we talk about it, and how the inspector generals are going to assess and evaluate the agencies, as they do annually for the Federal Information Security Management Act (FISMA) report,” he said. “Right now, we’re in the very early stages of how we’re going to step through this. It was brought to our attention by a former colleague who was working back in one of the agencies and as she was looking at how to support her zero trust project, and make sure that the 800-53 and the risk management framework are supportive of that shift. She identified that there were some gaps in terms of how you translate the zero trust capabilities to the various levels of security controls in the security baseline of 800-53.”
Simms added that CISA is working with the zero trust working group under the Federal CIO Council, the National Institute of Standards and Technology and would like to brief the IT working group under the Council of IG on Integrity and Efficiency (CIGIE) about the relation of zero trust and 800-53.
“When agencies hear the IG say something about how things are going with FISMA, they really pay attention. If we’re in a position to help influence that in a positive way, it’s absolutely critical that we do so,” he said. “We’ve got to pare down what we’re spending on IT and really focus on those things that matter. We have to adjust to a risk management approach in terms of how we apply architecture and capabilities across the enterprise to support the varying degrees of risk that we can absorb or manage within the within a given agency network. That’s like a huge part of what we need to continue to advocate for. But, to me, that is a significant element of the culture shift that needs to happen.”
One way CISA is going to drive some of the culture and technology changes to help agencies achieve a zero trust environment is through the continuous diagnostics and mitigation program.
CISA released a request for information for endpoint detection and response capabilities in October that vendors under the CDM program will implement for agencies.
“We know CDM was called out in the executive order and we need to modernize and make sure the program keeps pace with not only cloud but modern hosting environments,” he said. “CDM is looking to push out the EDR solution capability within this next fiscal year, I believe. That will fundamentally change the way that program has operated as a set of capabilities leaning forward.”
Simms added CISA also is looking at how it interacts with agencies, pulls cyber data together to be more proactive and helping agencies solve long-term challenges.
“We are trying to look at next revision of zero trust maturity model to really bring that into focus, but also making sure when we do that, the zero trust maturity model is supportive of the cloud security technical reference architecture and the federal zero trust strategy,” he said. “The one thing I get concerned about is that one of the other legacy culture things is that we always like to do things in a silo. It’s incumbent upon all of us to pull this together to have a holistic view of CISA capabilities, services and what the operational model looks like in a unified way. That is our challenge and something that we are working with our leadership on.”