Nearly two months after President Joe Biden signed his cybersecurity executive order setting up multiple sprints for agencies to harden their security posture, the Cybersecurity and Infrastructure Security Agency says a long-term vision for zero trust adoption across agencies is coming into focus.
Matt Hartman, CISA’s deputy executive assistant director for cybersecurity, said the cyber executive order focuses on short-term sprints, but will result in strategies and roadmaps that will build momentum on cyber policy through the rest of the Biden administration.
For example, he said the entire federal government should be able to make “meaningful progress” on implementing zero trust within the next three years.
“The administration fully recognizes that many of the core issues that are being addressed will only be solved through years — literally years of focus and continued investment. That’s my sense, that as we hit the end of the 90-day EO timeline, we will have many enduring plans with additional milestones that the White House, OMB, CISA and others will continue driving for the next several years, for the duration of this administration,” Hartman said last Wednesday the American Council for Technology and Industry Advisory Council’s Homeland Security and Law Enforcement Forum.
CISA, under the cyber executive order Biden signed in May, put out a zero trust maturity model that focused on the five pillars critical for agencies — identity, device, network, application workload and data.
Hartman said the transition toward zero trust will rely in part on agencies embracing automation solutions such as continuous validation and real-time machine learning analytics.
“As agencies will transition toward optimal zero trust implementations, their solutions will become more automated, they’ll fully integrate across pillars, and they’ll become more dynamic in their policy enforcement decisions,” he said.
But with more than 100 civilian agencies of varying size and maturity levels, Hartman said the executive order avoids a one-size-fits-all approach moving to zero trust.
“For a lot of agencies, success will come down to starting small, not trying to boil the ocean at once, remaining agile. Everyone to be successful here is going to require a high-level champion, someone who is committed to working across breaking down barriers, and ensuring clear communications at all levels,” he said.
Karl Mathias, the chief information officer for the Marshals Service, said his agency and the rest of the Justice Department began the move toward zero trust well before the administration’s executive order to better secure its multi-cloud operating environment.
“The basic problem is we’ve always been very network-focused on our security, so once you can penetrate the network boundary, you tend to be able to move around. We like the idea that instead of depending on that network boundary being your sole defense, instead you’re going to the application level, and you’ve got that broker out there saying, ‘OK, I’m going to figure out who you are, and then I’m going to make decisions on where you’re coming from, and I’m going to give you a score.’ And based on that score, we’re going to make decisions on whether you can access this app or not,” Mathias said.
Later this month, agencies must submit plans to OMB outlining how they plan to implement zero trust as a security infrastructure.
Meanwhile, the EO directs OMB and CISA, together with the General Services Administration and the Federal Risk Authorization and Management Program (FedRAMP), to develop a federal cloud-security strategy focused on accelerating zero trust adoption.
Iranga Kahangama, the National Security Council’s director for cyber incident response, said the White House drafted the executive order in “direct response” to breach events such as the Solarwinds and Microsoft Exchange compromises.
“We literally took the hardships that we experienced as a federal government, trying to unpack and figure out that those incidents and really looking to lower the barrier in terms of information sharing, information gathering and overall detection. All those lessons learned were very directly applied to this,” Kahangama said.
CISA, under the executive order, recently submitted its recommendations to implement enterprise-wide endpoint detection and response capabilities.
Hartman said CISA in the fourth quarter of fiscal 2021 is focused on purchasing capabilities for agencies related to identity and access management. Deploying these capabilities through CDM and continuing to work on an enhanced version of EINSTEIN One, which will bring in a richer set of threat indicators.
“Accelerating some of these capabilities through CDM, that could have been useful in helping agencies detect accounts being created that were not being created by users appropriately,” Hartman said, referring to the detection of the SolarWinds breach.
Amid a growing range of cyber threats, Hartman said CISA is well-positioned to use its new authority to hunt for threats on agency networks. Congress authorized this capability in last year’s National Defense Authorization Act.
“It is CISA’s job and our responsibility to be able to connect the dots across sectors and prevent threats from achieving their objectives, or at least minimizing the impact associated with these threats. So without the ability to detect threats at the host level, we simply can’t effectively do our job,” Hartman said.