Current and former Cybersecurity and Infrastructure Security Agency (CISA) officials agreed today that the road to implementing zero trust security concepts is long – and possibly without end – but at any rate stretches at least three years into the future in order to achieve a “good start” at getting to the goal.
That was the consensus opinion of Matt Hartman, deputy executive assistant director for cybersecurity at CISA, and Bryan Ware, who stepped down late last year as CISA assistant director of cybersecurity, who both spoke today during MeriTalk’s Accelerating Success – How to Meet the Requirements of the New Cybersecurity Executive Order webinar.
The directive for Federal agencies to move to zero trust architectures is one of the main drivers of the Biden administration’s cybersecurity executive order issued earlier this year, and along with adoption of cloud services, sets a full table for agencies to modernize both their IT infrastructures and the security technologies to protect them.
“A reasonable timeline” for Federal agency progress on the move toward zero trust is three years, Hartman said, adding, that targeting that time frame for a “significant start” at the goal “is a good way to think about it.”
He said that CISA is forecasting three major challenge areas for Federal agencies, including: having legacy systems that rely on implicit trust that conflicts with the zero trust model of implicit distrust of users; other existing infrastructures also built on implicit trust that must be rebuilt; and a lack of consensus on the “right maturity model” for zero trust.
The National Security Agency (NSA) issued zero trust maturity model guidance earlier this year, and Hartman said today that CISA has worked up a draft zero trust maturity model to support agencies, and added that the model was created in partnership with NSA and the National Institute of Standards and Technology.
Ware, who is now president a Next5, opined that “we won’t ever be done” with zero trust security implementation.
He said that three years would represent a window “we can aspire to” to have a significant start on the transition, which will be altered over time by various factors such as changing data sources. “I can see CISA already sprinting to make initial strides that set us up for major improvements within the three-year horizon,” he said.
Elsewhere during the MeriTalk webinar, Hartman talked about CISA’s Continuous Diagnostics and Mitigation program as being the agency’s “most efficient vehicle” to achieve the cybersecurity order’s requirements for endpoint detection and response capabilities for all Federal networks.
He also said the executive order reinforces the authority of CISA to conduct cyber threat hunting across Federal agency network, and said his agency plans to begin implementing that through the CDM program “in the coming weeks.”
“We are extremely anxious to begin [threat hunting] in earnest,” Hartman said. “We have long talked about the need to pivot from reactive to proactive” approaches to security, and the increased threat hunting activity “will begin to get us there.”
Miguel Sian, vice president of technology at Merlin Cyber, spoke during today’s webinar about the Federal government’s cyber incident response efforts, including best practices that CISA is supplying to agencies and the executive order’s direction to create a standard response playbook for agencies.
Discussing how Federal agencies can modernize their IT infrastructure and improve security, he offered that “cloud would be my first default” on how to modernize, as it greatly expands the speed and scope of data.
For the whole story, please access MeriTalk’s complimentary webinar.