The Cybersecurity and Infrastructure Security Agency is updating its guidance and services to help agencies meet the goals of the White House’s zero trust strategy.
John Simms, Trusted Internet Connections senior technical advisor at CISA, said the agency will release an updated Zero Trust Maturity Model this year. CISA published a draft version last year.
The model is organized around five pillars in “Identity, Devices, Networks, Applications and Workloads, and Data,” as well as three cross-cutting themes “Visibility and Analytics, Automation and Orchestration, and Governance.”
“We’re going to come out with a revision this year to really dig into some more details with regard to how zero trust aligns with our CISA programs and services,” Simms said during an event hosted by ATARC last week.
The model is the basis of what agencies should be building toward under the Office of Management and Budget’s new zero trust strategy, released in January. Agencies have until March 27 to develop implementation plans for meeting zero trust security goals over the next three years.
Simms said CISA is looking at how it can update its Continuous Diagnostics and Mitigation program to better connect with the zero trust security strategy. The CDM program was developed starting in 2012 to provide agencies with tools to identify and secure assets on their networks.
“When we first started CDM, it was about ongoing authorization, censoring the government data centers to perform continuous monitoring,” Simms said. “As the program evolved over time, and as we started looking at cloud and zero trust, especially in the last year or so, there’s been a recognition that we’ve got to look at how CDM capabilities can actually support the federal zero trust strategy and the application of zero trust within federal environments.”
OMB’s zero trust strategy mentions CISA will specifically look at updating the program to reflect how agencies have moved their data to commercial cloud environments in recent years.
“CISA will work toward developing the CDM program to better support a cloud-oriented Federal architecture,” the strategy states. “For example, CISA may choose to support automated asset discovery using the technical interfaces offered by many commercial cloud infrastructure providers.”
Simms said CISA and OMB have had several discussions about how to measure agency progress under the zero trust strategy. While there are specific deadlines in the strategy, Simms said the forthcoming implementation plans should help CISA and OMB understand what agencies need to meet the zero trust goals.
“They’re going to use those to continue the dialogue with the agencies, not just from the federal CIO’s office, but also the resource side of OMB where your budget examiners and resource officers and desk officers are engaging with the agencies,” Simms said.
Earlier this week, CISA also published a new guide for agencies, “Applying Zero Trust Principles to Enterprise Mobility.” The publication says special consideration needs to be given to mobile devices given their widespread use and rapid changes in the technology.
The “underpinnings” for zero trust already exist in mobile security, according to the guide, with built-in security features including sandboxing, segmentation, and secure memory management. Enterprise mobility management tools give agencies the ability to configure and enforce security policies, according to the document.
But mobile application development and security processes “need greater scrutiny to ensure alignment with ZT principles for access to enterprise resources,” the guide continues. And there needs to be “tighter integration” between mobile security practices, and the logging, monitoring, diagnostics and mitigation requirements in President Joe Biden’s cybersecurity executive order.
CISA is accepting comments on the mobility zero-trust paper through April 18.
“It is important to note that the mobility ZT paper is not a technical manual or implementation guide for either zero trust or enterprise mobility,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein wrote in a blog post. “Instead, it will guide federal civilian agencies and other organizations through the process of developing and implementing their specific cybersecurity capabilities for enterprise mobility toward adoption of their ZT goals.”
Zero trust will be ‘incomplete experiment’ without prompt follow-up, report says