Zero trust, cloud security pushing CISA to rethink its approach to cyber services

The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security is putting the final touches on several guidance documents to help ease the transition to a zero trust cybersecurity environment.

The entire goal of this effort to move security away from the network and to the data and application layers.

John Simms, the deputy branch chief of the Cybersecurity Assurance Branch in CISA, said the documents and other efforts are helping agencies shift their cyber thinking away from the network and closer to the data.

John Simms is the deputy branch chief of the Cybersecurity Assurance Branch in CISA.

“When we look at cloud and we look at how we’re going to facilitate zero trust into the future, we’ve got to fundamentally shift our thinking away from that network centric base of cybersecurity and visibility, and look at how we can support it in a risk-based approach,” Simms said during a panel sponsored by ATARC in November. “We really need to focus zero trust and where it really is going to help us change the dynamic and federal cybersecurity.”

Over the last three months, CISA, along with the Office of Management and Budget, rolled out the draft zero trust strategy, the draft cloud security technical reference architecture and the draft zero trust maturity model.

Simms said CISA pushed out the documents within 90 days of the cybersecurity executive order President Joe Biden signed in May and that forced them to reset some expectations about what zero trust really means to agencies. CISA also had to change the services they provide to agencies to emphasize the concepts of zero trust at the application and data layers.

“One of the other important things that we’ve been doing is working with an agency on looking at how zero trust maps to NIST Special Publication 800-53 because I think there’s a pretty significant Delta there when we talk about it, and how the inspector generals are going to assess and evaluate the agencies, as they do annually for the Federal Information Security Management Act (FISMA) report,” he said. “Right now, we’re in the very early stages of how we’re going to step through this. It was brought to our attention by a former colleague who was working back in one of the agencies and as she was looking at how to support her zero trust project, and make sure that the 800-53 and the risk management framework are supportive of that shift. She identified that there were some gaps in terms of how you translate the zero trust capabilities to the various levels of security controls in the security baseline of 800-53.”

Simms added that CISA is working with the zero trust working group under the Federal CIO Council, the National Institute of Standards and Technology and would like to brief the IT working group under the Council of IG on Integrity and Efficiency (CIGIE) about the relation of zero trust and 800-53.

“When agencies hear the IG say something about how things are going with FISMA, they really pay attention. If we’re in a position to help influence that in a positive way, it’s absolutely critical that we do so,” he said. “We’ve got to pare down what we’re spending on IT and really focus on those things that matter. We have to adjust to a risk management approach in terms of how we apply architecture and capabilities across the enterprise to support the varying degrees of risk that we can absorb or manage within the within a given agency network. That’s like a huge part of what we need to continue to advocate for. But, to me, that is a significant element of the culture shift that needs to happen.”

One way CISA is going to drive some of the culture and technology changes to help agencies achieve a zero trust environment is through the continuous diagnostics and mitigation program.

CISA released a request for information for endpoint detection and response capabilities in October that vendors under the CDM program will implement for agencies.

Simms said this is one example of how CISA is beginning to change how it provides cyber services.

“We know CDM was called out in the executive order and we need to modernize and make sure the program keeps pace with not only cloud but modern hosting environments,” he said. “CDM is looking to push out the EDR solution capability within this next fiscal year, I believe. That will fundamentally change the way that program has operated as a set of capabilities leaning forward.”

Simms added CISA also is looking at how it interacts with agencies, pulls cyber data together to be more proactive and helping agencies solve long-term challenges.

“We are trying to look at next revision of zero trust maturity model to really bring that into focus, but also making sure when we do that, the zero trust maturity model is supportive of the cloud security technical reference architecture and the federal zero trust strategy,” he said. “The one thing I get concerned about is that one of the other legacy culture things is that we always like to do things in a silo. It’s incumbent upon all of us to pull this together to have a holistic view of CISA capabilities, services and what the operational model looks like in a unified way. That is our challenge and something that we are working with our leadership on.”

Related Stories

    Amelia Brust/Federal News Network

    CISA tells agencies they don’t have to go it alone on zero trust

    Read more
    (AP Photo/Lynne Sladky)FILE - In this Nov. 20, 2020, file photo a U.S. Department of Homeland Security plaque is displayed a podium as international passengers arrive at Miami international Airport where they are screened by U.S. Customs and Border Protection in Miami. The damned-if-you-pay-damned-if-you-don’t dilemma on ransomware payments has left U.S. officials fumbling about how to respond. While the Biden administration “strongly discourages” paying, it recognizes that failing to pay would be suicidal for some victims. (AP Photo/Lynne Sladky, File)

    CISA sees zero trust adoption coming into focus under cyber executive order

    Read more
    (AP Photo/Chris Carlson)Tanker trucks are parked near the entrance of Colonial Pipeline Company Wednesday, May 12, 2021, in Charlotte, N.C.  The operator of the nation’s largest fuel pipeline has confirmed it paid $4.4 million to a gang of hackers who broke into its computer systems. That's according to a report from the Wall Street Journal. Colonial Pipeline’s CEO Joseph Blount told the Journal that he authorized the payment after the ransomware attack because the company didn’t know the extent of the damage.   (AP Photo/Chris Carlson)

    CISA under pressure to put more teeth in cyber requirements following Colonial Pipeline attack

    Read more

Comments

ASK THE CIO

THURSDAYS 10 A.M. & 2 P.M.

Weekly interviews with federal agency chief information officers about the latest directives, challenges and successes. Follow Jason on Twitter. Subscribe on Apple Podcasts or Podcast One.