Zero Trust Cyber Exchange: CISA’s Eric Goldstein on maturing cyber processes

The bedrock of the move toward zero trust among federal civilian agencies is the maturity model from the Cybersecurity and Infrastructure Security Agency.

The Homeland Security Department bureau’s five pillar approach to securing networks, systems and data came out in June 2021 and has been the roadmap which agencies and industry have followed to improve cybersecurity.cisa

Eric Goldstein, executive assistant director for cybersecurity for CISA, said in the coming months, Version 2 will accelerate and...

READ MORE

Shape

Zero Trust Cyber Exchange: CISA

You have to start somewhere and starting somewhere and making progress is really the only way to actually make progress toward deploying the kind of architectures and controls that we know to be effective against the most significant threats.

The bedrock of the move toward zero trust among federal civilian agencies is the maturity model from the Cybersecurity and Infrastructure Security Agency.

The Homeland Security Department bureau’s five pillar approach to securing networks, systems and data came out in June 2021 and has been the roadmap which agencies and industry have followed to improve cybersecurity.cisa

Eric Goldstein, executive assistant director for cybersecurity for CISA, said in the coming months, Version 2 will accelerate and broaden the understanding of zero trust.

“This whole effort is going to be a living document — the Zero Trust Maturity Model and the guidance for execution. We know that we are still learning as a security enterprise about how zero trust principles can be most effectively adopted at scale for different types of organizations. So this is going to be a living document and an ongoing effort for us,” Goldstein said during Federal News Network’s Zero Trust Cyber Exchange.

CISA received over 300 comments on Version 1 of the maturity model, and Goldstein said it has worked those into a new draft that it expects to release this in late summer or fall.

“That’s going to be the next iteration of what I think will be an enduring living document because we are going to get ongoing feedback, not just from federal partners but the broader community,” he said. The feedback will help inform future guidance and how CISA can support organizations in benchmarking progress on zero trust and in understanding where they are and where to go next, Goldstein added.

The goal is to make sure the maturity model improves significantly and that CISA doesn’t, in his words, “put out a phone with just a better camera.”

Goldstein added, “If we’re going to come out with a new version, we want it to have some really useful new attributes to it that are really going to move the ball forward.”

19 federal zero trust objectives by 2024

The updated maturity model, whether it comes in the summer or fall, will arrive at a critical time for agencies. The Office of Management and Budget set out in the Zero Trust Strategy and implementation guidance 19 objectives agencies have to hit by the end of 2024.

For example by February 2023, agencies must ensure all public-facing systems that support multi-factor authentication (MFA) give users the option of using phishing-resistant authentication. Agencies also must select at least one Federal Information Systems Management Act (FISMA) moderate system that requires authentication and is not currently internet-accessible and securely allow full-featured operation over the internet.

The strategy and objectives demonstrated that meeting the goals of zero trust weren’t just for those modern organizations running cloud native infrastructure, Goldstein said.

“I think the strategy sent a message that zero trust principles … are really so any organization can make progress on this journey,” he said. “That was also the importance of the Zero Trust Maturity Model that CISA published as an enabler of the administration’s Zero Trust Strategy — showing that wherever an entity is in making progress toward a zero trust strategy, you have to start somewhere. And starting somewhere and making progress is really the only way to actually make progress toward deploying the kind of architectures and controls that we know to be effective against the most significant threats.”

Agencies submitted their zero trust plans to OMB and CISA at the end of March, offering the first view of where the government is as a whole on this long journey.

Driving toward least privileged access

Goldstein said some of the trends that have emerged from those plans include an initial focus on identity and access management and on managing access privileges.

In the wake of a series of intrusions and adversary campaigns targeting identity, credentials and privileged users — like the campaign targeting SolarWinds devices — agencies have begun taking an identity-centric approach to cyber and moving toward principles of least privilege, strong recurrently validated authentication and locking down credentials.

“It is really a sea change in how we think about security. We’re seeing agencies make significant investments across the board. At the same time, we do know that there’s real diversity across the federal enterprise. We have 101 federal civilian executive branch agencies. Each of them are by definition at a different point on their journey through the Zero Trust Maturity Model and executing the administration’s Zero Trust Strategy,” he said. “Our role at CISA is to make sure that we’re putting out guidance that’s useful across the board but also giving agencies bespoke support and assistance where they need it to figure out where to go next and to get the resources to move in the right direction.”

The move toward a better identity access management and least privileged approach isn’t new. OMB launched Homeland Security Presidential Directive-12 in 2004 and made a sprint toward least privileged access in 2015, after hackers stole 21 million federal employee identities from the Office of Personnel Management.

But what’s different now, Goldstein said, is a combination of factors, including a change in philosophy, better technologies — such as the cloud, the Fast ID Online 2 (FIDO 2) authentication standard and others — and 15 years of suffering data breaches due to faulty identity verification and validation capabilities.

“This understanding of the issue is not just how does a user authenticate but how are their credentials controlled and really adopting these principles of least privilege, making sure that we are really locking down access and privileges to the bare minimum needed for a job function, such that if an individual’s account is compromised, the adversary’s ability to take actions on a network or move laterally are limited,” Goldstein said. “We also have really strong adoption of role-based access controls to make sure that we are really limiting what users can do to make sure that, again, we are limiting the blast radius, what an adversary could achieve, and then really critically, narrowing down the breadth of super users — of administrators — and making sure that those accounts are locked down and are closely monitored.”

Governance, workflows remain important

CISA has seen how hackers and bad actors actively pursue end users with escalated privileges. In response, it encourages agencies by providing services to lock down accounts and hunt for unusual activity that could be a sign of a threat or attack.

Ultimately, the success of federal zero trust efforts hinges on more than tackling a technology implementation, Goldstein said. It’s dependent on improving governance across agencies, their data and process workflows, and their management of people and culture.

If an agency reduces someone’s privileges under zero trust, it should explain why and explain how the governance process works, Goldstein said. To get to that state, agencies must build those governance processes once they have the technology deployed to manage true role-based access and apply a least-privilege philosophy, he said.

“That involves some friction for users. That process is really very individualized, not just to an agency, but really to the suborganization that’s being directly managed,” Goldstein said. “The technology is there. The technology is effective. But building in that governance and process — and helping users understand the point of the process — has certainly been an effort for most agencies. And the government is not unique. That’s generally a characteristic of strong access management across the board.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.