In the wake of President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity, U.S. government agencies are making the push towards Zero Trust to shore up the nation’s critical infrastructure cyber defenses.
These efforts include meeting specific cybersecurity guidelines and standards noted by various agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Defense (DOD), and the National Security Agency (NSA) to help aid these efforts.
But getting to Zero Trust is far from easy. Issues like legacy systems (some can't be updated), the lack of interoperability and data sharing, the need for compliance, and a digital skills gap complicate agencies’ ability to move toward a Zero Trust architecture. Many agencies are starting by implementing Zero Trust at different places, which means some are in a better position than others to begin their journey.
In response, CISA recently published the Zero Trust Maturity Model 2.0 to help federal civilian agencies (think the U.S. Department of Commerce and U.S. Environmental Protection Agency) make the transition easier. Specifically, the updated Zero Trust Maturity Model flushes out more details around how to move through the various stages of Zero Trust adoption. Although the updated model is intended to support federal agencies, CISA is also encouraging the private sector to review these guidelines for their own implementations.
The journey to Zero Trust
Moving to Zero Trust isn’t a one-and-done approach. And it definitely isn’t linear. For CISA, Zero Trust is a journey.
Initially, the Zero Trust Maturity Model featured three stages: traditional, advanced, and optimal. But as agencies started to shift from a traditional, perimeter defense approach, the leap to “all-in” Zero Trust proved to be too much. Based on recommendations from a public comment period, CISA revised the Zero Trust Maturity Model to feature the initial phase. The four stages in sequence are now: traditional, initial, advanced, and optimal.
Source: CISA Zero Trust Maturity Model 2.0
Along with adding another level of maturity, CISA expanded its guidance across the five pillars of Zero Trust: identity, devices, networks, applications and workloads, and data. Specifically, the Zero Trust Maturity Model 2.0 now covers a broader range of cybersecurity domains, like access management, policy enforcement and compliance monitoring, and asset and supply chain risk management.
Source: CISA Zero Trust Maturity Evolution
Let’s look at devices throughout the Zero Trust journey.
Traditionally, device inventory is done manually, or piecemeal among various, yet disparate, tools. On top of that, organizations often deploy threat protection technology to help identify devices in the environment. This means there’s not a lot of visibility into compliance — or even security state, in many cases. For agencies trying to reach the initial stage of Zero Trust maturity, all physical assets must be tracked and some protections automated, with limited device-based access control and compliance enforcement.
To move to the advanced stage, agencies must be able to track all physical and virtual assets, implement enforced compliance with integrated threat protections, and any initial resource access depends on device posture.
For the final (optimal) stage, agencies must have continuous physical and virtual asset analysis like automated supply chain risk management and integrated threat protections.
Each of these stages takes time, and a whole lot of effort. But the good news is that a cybersecurity asset management solution can help speed things up.
By tracking all devices, cloud services, software, and users no matter where they’re located, cybersecurity asset management solutions give federal IT and security teams more visibility into what’s happening in their IT environments. Cybersecurity asset management provides an always up-to-date inventory and an option for automated incident response, helping to reduce exposure to cyberattacks and quickly contain and remediate threat actors.
More federal guidance around Zero Trust
Along with CISA’s Zero Trust Maturity Model 2.0, the intelligence and military branches are taking on their own approaches to Zero Trust.
The NSA recently issued new recommendations on identity, credential, and access management security controls for its Zero Trust initiative. The cybersecurity information sheet centers around managing user access. Specifically, the NSA details how identity, credential, and access management, along with governance, are all necessary parts of a Zero Trust model.
Meanwhile, the DOD recently announced it’s on track to implement its Zero Trust cybersecurity framework by fiscal year 2027. The DOD’s Zero Trust Strategy and Roadmap envisions an information enterprise secured by a fully implemented, department-wide cybersecurity framework that reduces the attack surface, enables risk management, makes data sharing effective in partnership environments, and quickly discovers and resolves security incidents.
And coming full circle, the Biden Administration is expected to give more details in the coming months around its National Cybersecurity Strategy. The policy document stresses a commitment to modernize the federal government’s digital ecosystem, with Zero Trust principles as a critical first step. Zero Trust is also a crucial element to ensure the federal government can meet its secure-by-design requirements.
Even with mandates, guidelines, and other initiatives, more needs to be done when it comes to Zero Trust. The reason: adopting Zero Trust is a cultural shift. It’s a new way of thinking about cybersecurity. Zero Trust requires collaboration and information sharing, making cybersecurity a more holistic approach. As technology continues to rapidly evolve, the federal government’s guidance will need to evolve with it.