Zero trust will be ‘incomplete experiment’ without prompt follow-up, report says

The Biden administration has done well in building momentum behind its zero trust initiatives, but a focus on short-term goals — to the exclusion of long-term planning — runs the risk of undershooting a sustained impact. That’s the warning contained in a new report from the National Security Telecommunications Advisory Council on the state of zero trust adoption in the federal government.

The report says current policies are a “welcome and necessary start to to help agencies build momentum and establish the foundational building blocks of zero trust.” Because most federal agencies are just getting started on their path to zero trust, the report said the short-term focus has thus far been appropriate.

But it also says that now is the time to plan for long-term follow-through.

“Absent additional significant action, the U.S. government risks zero trust becoming an incomplete experiment — a collection of disjointed technical security projects measured in years — rather than the foundation of an enduring, coherent and transformative strategy measured in decades,” the report said.

The report, which NSTAC voted unanimously on Feb. 23 to send to President Biden, contains a number of specific recommendations detailing exactly what that follow-up should look like. For instance, the report calls on the Cybersecurity and Infrastructure Security Agency to stand up a civilian zero trust program office. This office would “host implementation guidance, reference architectures, capability catalogs, training modules, and generally serve as a civilian government knowledge management center of excellence for zero trust.”

It would be the civilian counterpart to, and would coordinate and share best practices with, the recently-established Defense Department Zero Trust Program Office.

The report also calls on CISA to develop a new shared service to assist agencies in discovering “internet-accessible assets” through continuous and dynamic asset mapping. The authors found that keeping track of all of these assets can be challenging for agencies.

“For agencies to maintain a complete understanding of what internet-accessible attack surface they have, they must rely not only on their internal records, but also on external scans of their infrastructure from the internet. CISA will provide data about agencies’ internet-accessible assets obtained through public and private sources. This will include performing scans of agencies’ information technology infrastructure,” the report says.

The report also recommends that the government develop more mature standards and guidelines around zero trust. Existing guidelines from agencies including the National Institute of Standards and Technology, the National Security Agency, DoD and CISA “remain in relatively early stages of maturity,” the report says. It calls for increased partnership with industry and international standards bodies in order to establish “consensus-based, broadly recognized zero trust standards.”

Developing, introducing and adopting these standards is important for multiple reasons, according to the report. They can be used as federal purchasing requirements, for instance, to help drive behavior within industry and improve the security of the supply chain. They can also be used as metrics to determine whether voluntary adoption is working, or if it’s necessary to move to regulatory actions. To that end, the government can use these standards to evaluate the success of incentives like grants and other federal funding for states, localities and infrastructure.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.