Michael FriedrichDecember 9, 2021
Federal March to Zero Trust Security: CISA’s Guidance Focuses on Four Pillars
The Office of Management and Budget (OMB), the Department of Defense (DoD), the U.S. Air Force (USAF), the Defense Information Systems Agency (DISA) and now the Cybersecurity and Infrastructure Security Agency (CISA) have created or are in the process of finalizing Zero Trust security guidance.
The federal government spotlight on Zero Trust security also has been underscored by Congress looking into legislation to support the May 2021 executive order on Improving the Nation’s Cybersecurity. And the National Institute of Science and Technology (NIST) has released SP 800-207 on Zero Trust architecture and is conducting a CRADA research project with key industry partners, including Appgate, to provide NIST-approved best practices for implementing Zero Trust security.
For those of us serving in the federal cybersecurity space, it seems logical, based on the executive order, that CISA will be the key player in helping agencies in their journey to Zero Trust security. Toward that end, CISA drafted its Zero Trust Maturity Model in June 2021 and opened it up for public comment, in which Appgate participated. Now it is adjudicating those comments and will publish an update soon. CISA’s draft Zero Trust Maturity Model establishes a set of focus pillars for agencies, which are:
- Identity: Refers to an attribute or set of attributes that uniquely describe an agency user or entity.Agencies should ensure and enforce that the right users and entities have the right access to the right resources at the right time
- Device: Refers to any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers and others. A device may be agency-owned or bring-your-own-device (BYOD). Agencies should inventory devices, secure all agency devices and prevent unauthorized devices from accessing resources.
- Network/Environment: Refers to an open communications medium used to transport messages, including agency internal networks, wireless networks and the internet. Agencies should segment and control networks and manage internal and external data flows.
- Application Workload: Includes agency systems, computer programs and services that execute on-premises, as well as in a cloud environment. Agencies should secure and manage the application layer as well as containers and provide secure application delivery.
When talking about Zero Trust security we must always account for the fact that it is a journey to implement a Zero Trust architecture, not a sprint. Agencies have many application workloads and dependencies that must be accounted for along this journey. Further, they need to truly identify the five Ws—who, what, where, when and why—that never seem to go away. They are like Moore’s law and must be answered to complete each project plan and execute on Zero Trust security goals.
But, let me provide a word of caution from a leading company in this space: no one product, company or service provider will have all the answers and that is okay! The ultimate guidance CISA will provide as its optimal end goal will lay out critical areas of focus for federal government agencies to execute on. The industry now needs to help ensure plans are thorough, well thought out, measurable for success and will achieve those end state goals as defined.
For more on how our Appgate Federal Division is leading the way, please visit www.appgate.com/federal-division.
Blog: Appgate and Rackspace Government Cloud Deliver FedRAMP-Approved Solution
Blog: Federal agencies: make a secure and scalable move to cloud with Zero Trust
Infographic: 2021 Zero Trust Market Dynamics study
Webinar replay: Zero Trust for Critical Infrastructure