Zero Trust Cyber Exchange: CISA’s John Simms on preparing people for zero trust

The Cybersecurity and Infrastructure Security Agency’s role in federal cybersecurity efforts has grown rapidly in recent years, and that trend is only expected to continue as agencies start to implement their zero trust plans.

The White House’s Zero Trust Strategy says both the Office of Management and Budget and CISA will work with agencies throughout their zero trust implementations. CISA services like the Continuous Diagnostics and Mitigation program will be critical for civilian agencies on...

READ MORE

Shape

Zero Trust Cyber Exchange: CISA

We perform webinars to look at zero trust concepts in the form of doing deep dives into the individual pillars out of the zero trust maturity model to really get into a good conversation with agencies about some specific challenges that they’re going to encounter.

The Cybersecurity and Infrastructure Security Agency’s role in federal cybersecurity efforts has grown rapidly in recent years, and that trend is only expected to continue as agencies start to implement their zero trust plans.

The White House’s Zero Trust Strategy says both the Office of Management and Budget and CISA will work with agencies throughout their zero trust implementations. CISA services like the Continuous Diagnostics and Mitigation program will be critical for civilian agencies on their zero trust journeys. And CISA’s Zero Trust Maturity Model provides the basis for agencies’ zero trust implementation plans.

CISA Senior Technical Advisor John Simms says the cyber agency has started to organize webinars through its “Cyberstat” program to specifically provide awareness and training to agencies on the zero trust concept. Attendance for some of the more recent webinars has approached 700 people, Simms said.

“We perform webinars to look at zero trust concepts in the form of doing deep dives into the individual pillars of the Zero Trust Maturity Model to really get into a good conversation with agencies about some specific challenges that they’re going to encounter, or that they brought to our attention that are challenging for them as they’re looking to plan and execute their journey on zero trust,” Simms said during Federal News Network’s Zero Trust Cyber Exchange.

So far, one of the early question marks for agencies has been around implementing the identity pillar, Simms said. The Zero Trust Strategy emphasizes the importance of strong enterprise identity and access management. In particular, the White House is encouraging agencies to adopt phishing-resistant multi-factor authentication measures.

Zero Trust Maturity Model updates

CISA is also in the midst of updating its Version 1 Zero Trust Maturity Model. Published in June 2021, the model includes five pillars and three cross-cutting capabilities of zero trust.

CISA has received over 300 comments from a wide variety of organizations, including other agencies, industry, academic organizations and some international partners. Identity has also been a persistent theme in the responses, Simms said.

“We’ve received more questions and comments out of the identity pillar than any of the others,” he said. “That’s one of the cornerstones of zero trust, so it makes a lot of sense. And I think it gives us a lot to look forward to in terms of how we’re going to make adjustments to the maturity model in this next revision on identity as well as the other pillars.”

Simms said the agency expects to publish a revised model in the coming months.

Agencies confident in zero trust plans

Despite the evolving cyberthreat environment and past federal struggles with cybersecurity, most agencies are confident they’ll meet the mandate from OMB to achieve specific zero trust architecture goals by the end of fiscal 2024, according to a survey conducted by General Dynamics Information Technology earlier this year

GDIT found 14% of agencies said they will meet the requirements early, while 49% responded that they will meet them on time. Only 10% felt they would miss most or all of the deadlines.

The survey found varying levels of maturity across the zero trust pillars. For example, 46% of agencies said they have advanced identity capabilities, while only 35% felt they were in the advanced category for the devices pillar.

“Every agency is different, and they’ve all made different investments,” GDIT vice president for cyber Matthew McFadden said. “One of the biggest challenges that they have is really understanding where to prioritize those investments.”

CISA will be able to help agencies with the “weak points” in their plans, according to Matt Hayden, a former senior advisor at CISA and now GDIT’s vice president of cyber client engagement.

“If I am a CIO for an agency that knows that I’m not going to be able to hit this in time, I’m going to go to CISA and say, ‘Here’s my plan. Here’s where we know we have strengths and we have opportunity. What am I missing and where can you step in with an additional suggestion or service, or do I need to go to some other offeror?’” Hayden said.

CISA services central to White House security mandates

To that end, CISA’s services and guidance have been central to the White House’s cybersecurity mandates, including the Zero Trust Strategy and last year’s cybersecurity executive order.

“We’ve got a number of different opportunities to talk to agencies. We also talked to the vendor communities about how they can better support the federal agencies in their move to cloud and zero trust,” Simms said. “So we’re using every lever we possibly can in terms of pulling the levers and conversations and all of our implementation guidance to make sure that we’re staying focused on achieving the near-term and long-term goals and objectives for zero trust.”

In particular, CISA’s CDM program is expected to play a crucial role in helping agencies achieve awareness of the assets they need to secure across their enterprises, especially as they move IT infrastructure into commercial cloud environments.

“When we look at cloud and what it means to do CDM in the cloud, there’s a synergy between several of our programs to where we have to look beyond the program-specific and look at how we collapse some of our program capabilities and requirements to make sure that agencies can clearly understand what we’re looking for,” Simms said.

“We’ve done a lot of work. We still have some work to do to make sure that there’s more uniform alignment. But I think the cloud in particular is a good environment for us to fully utilize the CDM program characteristics and capabilities to support what we’re trying to achieve with the zero trust strategy in particular.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.

Featured speaker

  • John Simms

    Senior Technical Advisor, Cybersecurity and Infrastructure Security Agency