Released earlier this spring, CISA’sZero Trust Maturity Model 2.0 assists agencies in navigating their zero trust journey by offering a well-defined roadmap for the widespread adoption of zero trust in the government sector. A zero trust approach sets a high bar for security by assuming that every user, device and application is a potential threat and requires verification and authorization before granting access.
CISA’s zero trust model provides federal agencies with a clear path to follow, making it another vital tool to help define the zero trust journey — one that will help them meet the September 2024 deadline set by the Office of Management and Budget’s memo, M-22-09 Federal Zero Trust Strategy.
While every agency has a unique starting point, there are several steps that can help agencies as they work to achieve an “optimal” posture in their zero trust journey and meet upcoming deadlines. These steps include taking inventory of their current posture, continually modernizing to implement the strongest standards, considering the impact of supply chain security and improving detection of cyber incidents and investigative capabilities.
Understanding your position in the zero trust journey
Proper security tools are essential to an agency’s defense against cyber-attacks. But first, agencies must have a complete understanding of their systems’ strengths and weaknesses. This includes knowing which tools are currently being utilized, which require enhancements, and which are lacking entirely. This creates a baseline for the agency’s zero trust position and establishes required actions.
A “rip and replace” approach is not a practical solution for cybersecurity infrastructure, so starting with a clear baseline can allow agencies to effectively support zero trust pillars of identity, devices, networks, applications and workloads and data by understanding where the cyberinfrastructure can be improved.
Modernizing and implementing stronger standards
A focus on SLAs, dashboards with real-time analytics, and enterprise IT security posture can support agencies as they assess the effectiveness of their current security efforts. It can also ensure they align with increasingly vigorous standards, like the ones outlined in recent zero trust guidelines, and track the continued improvement of maturity levels over time.
Key standards highlighted in zero trust guidelines include using enterprise-managed accounts, which allow employees access to everything they need while remaining reliably protected from sophisticated attacks, encrypting all network traffic and consistently testing enterprise applications.
Federal security and data teams must also work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
Securing the IT supply chain
Over the past couple of years, federal agencies have become keenly aware of the need to protect their IT supply chain. This includes implementing solutions that provide a flexible and customizable approach to evaluating vendors, and those that can help close down parts of the network if one portion of the security supply chain becomes compromised. These solutions and approaches are already playing an imperative part for various agencies across government.
For example, to achieve the crucial balance between enhancing network security and enabling dynamic autonomous operations for law enforcement, the Treasury Department leveraged logical micro-segmentation and network-based segmentation to help strengthen network security. Segmenting the agencies’ network can isolate environments and prevent compromised components from jeopardizing the entire network. This approach has proven highly effective in maintaining the security and reliability of operations.
Improving detection of cyber incidents and remediation capabilities
The sheer volume of cyber incidents that analysts receive in a cabinet-level security operations center makes it impossible to appropriately assess each one and quickly identify those that require immediate attention. Agencies need access to tools that can automate detection and prioritization so analysts can take appropriate actions fast enough to address a threat. Should a severe incident take place, their ability to contain, eradicate and recover from the event is crucial.
As part of its process of enforcing a uniform approach to cyber incidents, the Environmental Protection Agency worked toward automating functions of its security and risk team’s responsibilities. Implementing a security incident response module helped structure security operation agency-wide, enabling a more uniform approach to emerging threats. Utilizing security orchestration and automation response helped reduce manual errors and streamlined response processes, improving the agency’s ability to respond to threats quickly.
By embracing zero trust principles, agencies can be more proactive and diligent in protecting their IT infrastructure and users in today’s digital landscape. However, it’s a big undertaking that requires ongoing effort to implement fully. To identify which standards need strengthening, agencies must understand their position in their zero trust journey.
From there, agencies can make informed decisions on flexible cybersecurity solutions that align with Zero Trust Maturity Model 2.0 pillars. This will help accelerate the implementation of zero trust without compromising compliance requirements and citizens’ needs, all while limiting the impact of a potential breach. By taking small steps, agencies can evaluate their current compliance levels, create
plans to increase maturity and stay informed and aligned with federal guidance and regulations.
Chris Cullerot is director of technology and innovation at iTech AG.