Zero Trust Cyber Exchange: NSA’s Kevin Bingham on innovating in a legacy environment

The National Security Agency’s Cybersecurity Directorate is helping Defense Department and intelligence agencies bridge the gap between their legacy IT environments and the shift to zero trust architectures through evolving guidance, technology testbeds and stronger engagements.

While civilian agencies got their marching orders from an Office of Management and Budget memo on zero trust released this past February, the national security community has been considering the concept for several years.

But the whole-of-government push to...

READ MORE

Shape

Zero Trust Cyber Exchange: NSA

We can say, ‘Assume breach,’ but people want to do the same things that they’ve done in the past. … That cultural change is hard.

The National Security Agency’s Cybersecurity Directorate is helping Defense Department and intelligence agencies bridge the gap between their legacy IT environments and the shift to zero trust architectures through evolving guidance, technology testbeds and stronger engagements.

While civilian agencies got their marching orders from an Office of Management and Budget memo on zero trust released this past February, the national security community has been considering the concept for several years.

But the whole-of-government push to adopt zero trust combined with a recent White House directive has put more teeth behind NSA push to ensure classified system owners are also using the architecture.

Although the zero trust model has been around for more than a decade, it’s been a challenge to get organizations to shift their mindset away from a perimeter defense approach, said Kevin Bingham, NSA’s zero trust lead.

“We can say, ‘Assume breach,’ but people want to do the same things that they’ve done in the past,” Bingham said during Federal News Network’s Zero Trust Cyber Exchange.

“It’s just the way our programs are set up,” he said. “It’s the way you were trained. If I’m an endpoint security engineer, I want to focus on protecting the endpoints.  … That cultural change is hard.”

Government moves out en masse on zero trust

But the May 2021 cybersecurity executive order highlighted the imperative to move the federal enterprise toward a zero trust posture, and Bingham said he’s seen significant momentum ever since.

“The acceptance of the model has happened a lot quicker in the last two years than I would have expected,” he added.

NSA has spent the last several years developing and releasing specific guidance on zero trust models. In February, the agency published “Embracing a Zero Trust Security Model,” which lays out the principles of the architecture in nontechnical terms.

That same month, a joint engineering team from the NSA and the Defense Information Systems Agency put out Version 1 of a Zero Trust Reference Architecture to help guide DoD and intelligence components as they apply the security model to their IT environments.

Bingham said his team is also working on zero trust testbeds to further refine its guidance and help organizations achieve their security goals.

“We’re working on zero trust testbeds within our team to not only learn the approaches to zero trust but to understand what will work, how to do it — hopefully efficiently without spending more money than we need to,” he said. “All of that knowledge that we gain we’ll then feed back into customer guidance as we work with them, or additional documentation that we might put out through additional cybersecurity information sheets in the future to help with a particular aspect of zero trust implementation.”

Helping organizations understand the technical implementation of zero trust is especially important, as many look to pivot legacy IT environments toward the new model.

“We don’t say that with zero trust, you have to start green field and start new with new IT systems,” Bingham said. “You can bring legacy into a zero trust environment. But when you do legacy toward zero trust, we normally expect organizations to go through a maturity process.”

The DoD and NSA reference architecture recognizes that reality, laying out how organizations can first start preparing for zero trust implementation before they move through baseline, intermediate and advanced levels of maturity.

NSA at the center of zero trust

In January, President Joe Biden signed a national security memorandum that further centralizes the role of NSA in overseeing cybersecurity for national security, DoD and intelligence community systems. Among other authorities, the memorandum gives NSA the ability to issue binding operational directives to ensure agencies are patching critical vulnerabilities.

It also directs Defense and intelligence agencies to develop plans for implementing zero trust architecture. Bingham said the directive has been a “strong forcing function” to engage with national security system owners, and his team is currently reviewing agencies’ plans.

“It helps us understand who we might want to reach out to or some other examples of who’s already moving out and doing great stuff already at a higher level of maturity,” he said. “For us, it’s been centering, and it’s provided some organization within the Cybersecurity Directorate of how we need to move out on this.”

The plans so far have shown Defense and intelligence organizations are at varying levels of maturity when it comes to zero trust, Bingham said. His team is focused on further supporting teams from those organizations with advice and guidance to help them bridge any gaps in their plans.

“I was pleased to see that a number of organizations are already moving out on this and understand zero trust and are starting to speak the language in a way that I feel very good about,” he said. “It’s peer-level communication on how they’re trying to do zero trust and speaking the words that we pretty much only heard ourselves saying for the first year or so of working the zero trust effort.”

Reference Architecture 2.0 coming

DoD is also in the process of updating the Zero Trust Reference Architecture.

“There is a Version 2 that is being worked on,” Bingham said. “I don’t have a date for when the intent to release that is. But we originally wrote the reference architecture with the intent of trying to make it as future-proof as possible.”

NSA is also working with organizations like DISA and the DoD Zero Trust Portfolio Management Office at the Pentagon to help agencies find innovative ways of adopting the security architecture.

“So that organizations can move out and innovate and make progress and not just wait for a cloud solution to come along or some other IT new start to come along that’s going to solve our problems, because there’s going to be legacy environments that won’t go away,” Bingham said.

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.