CISA tells agencies they don’t have to go it alone on zero trust

The Cybersecurity and Infrastructure Security Agency is highlighting the services it will make available for agencies so they can meet the goals of the newly mandated zero trust security architecture.

CISA’s draft “Zero Trust Maturity Model,” released publicly this week, isn’t entirely new. Sean Connelly, program manager of Trusted Internet Connections at CISA, said CISA sent the document to agencies in June, shortly after President Joe Biden’s May executive order on cybersecurity directed agencies to come up with zero trust implementation strategies.

“Agencies were just asking for some quick relief, some quick orientation on how to build out zero trust,” Connelly said during a Sept. 8 event produced by NextGov. “There’s a number of maturity models out there, both on the vendor side, and again on the [Defense Department] side. But we built ours more on the civilian side.”

The Office of Management and Budget is telling agencies to reach a basic zero trust maturity level by the end of fiscal 2024.

CISA is now seeking feedback on the maturity model through Oct. 1. The agency is also seeking feedback on a new Cloud Security Technical Reference Architecture document by the same deadline.

The maturity model is built around the five “pillars” of zero trust also endorsed by OMB: identity, device, network/environment, application workload and data. It also outlines maturity stages for each pillar, starting at “traditional,” then “advanced” and finally “optimal.”

For the “identity” pillar, for example, a “traditional” maturity stage includes using passwords and multifactor authentication and a “limited risk assessment,” while an “optimal” approach involves “continuous validation” and “real time machine learning analysis.”

And for each pillar, the document highlights current and future CISA services and offerings agencies can use to achieve zero trust maturity.

“We embed some of the CISA services,” Connelly said. “They’re either there today, or potential CISA services we may be supporting or tentatively offering later on, so agencies can understand as we build out the maturity model, where agencies can leverage CSIA services.”

He pointed to advanced protective domain name system services as an example of the offerings CISA will be making available “in the next year or so.”

“That’d be one strong service for the agencies to be aware of under the network pillar of the zero trust maturity model,” he added.

On the data front, the draft maturity model says CISA’s tentative future offerings include “readiness surveys to gauge the maturity of the zero trust pillars at agencies.”

“CISA will provide agencies with unique zero trust maturity feedback on these surveys, and agencies can use this feedback to identify gaps and to prioritize data protections,” the document states.

The draft notes how zero trust adoption will “require engagement and cooperation of senior leadership, IT staff, and users across the Federal Government to effectively achieve design objectives and improve cybersecurity posture.” It says the same also applies to the cloud adoption mandated by Biden’s executive order.

“This modernization of the Federal Government’s cybersecurity will require agencies to transition stove-piped and siloed IT services and staff to coordinated and collaborative components of a zero trust strategy,” the document states.

The SolarWinds supply chain infiltration, recent ransomware events and other cyber attacks have formed a crisis that is spurring government action on cybersecurity, especially in efforts at “consolidation” and “streamlining programs” that might not have been possible before, according to André Mendes, chief information officer at the Department of Commerce.

“Large agencies need to come together as Commerce has so that they are doing one effort,” Mendes said during the NextGov event. “If they’re going to have resource issues, they’re going to have resource issues because they will have multiple efforts. I think it’s incumbent upon the agency CIOs and [chief information security officers] to bring everybody together, all the bureaus and everybody else, and basically say, ‘This is what we need to do.’”

Related Stories

Comments