As agencies strive to meet changing zero trust security requirements, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said that he’s seeing an increased sense of urgency to implement those requirements to collectively move “the Federal fleet forward.”
At MeriTalk’s “Zeroing in on Network: 2022 Federal Zero Trust Maturity” webinar on April 19, Sean Connelly, the Trusted Internet Connections (TIC) program manager and senior cybersecurity architect at CISA, said recent Federal guidance – such as the Office of Management and Budget’s (OMB) Federal Zero Trust Strategy – has helped to catalyze this sense of urgency.
“I’m glad to see that this messaging … is resonating inside the agencies,” Connelly said. “I think there is an urgency to this, and with that, there are some questions – how do we move forward collectively, how do we do it in a responsible way?”
“This is a new category. This is a new way to start looking at cybersecurity and there’s a lot of questions,” he added. “And so we have to be careful at the same time recognizing that the adversary is not waiting on us and we have to move forward, if only because adversaries [are] moving very forward, as well.”
MeriTalk and Merlin Cyber surveyed more than 150 Federal cybersecurity executives to explore momentum, priorities, and challenges around the evolution to zero trust security.
To Connelly’s point, the survey found 92 percent of respondents said recent Federal initiatives – such as the OMB strategy, cybersecurity executive order, and CISA’s maturity model – have increased their confidence in implementing zero trust.
The April 19 webinar was the third in a four-part series, with this conversation centered around the network pillar of zero trust. When it comes to the network pillar, Connelly said agencies no longer have a “single network” they can manage themselves.
Especially with the increase in telework and remote work, Connelly said agencies now need to “start supporting other networks” and put new controls in place to have network visibility. He explained those controls are “less on the network pillar” and more geared towards application, device, or the data itself.
“I think when you talk to agencies you recognize the role and importance of identity in zero trust… identity is now becoming the network,” Connelly said. “Identity is what’s connecting everything together.”
“It’s interesting how that shift is now less than a traditional network… toward having the consolidated or the connected device itself with the data in there,” he added. “That contextual awareness and how it all connects together in new ways is where I think the opportunities lie.”
Dean Webb, a cybersecurity engineer at Merlin Cyber, agreed with Connelly and emphasized that agencies now need to have greater visibility of what’s on their networks.
“The network is the reason we’re having this conversation in the first place. It is connecting, not just trusted assets to trusted users, it’s now connecting anyone and everyone, to anywhere and everywhere,” Webb said.
“Because it is pervasive, we have to change our paradigm on what we’re looking at in the network. It’s less about perimeters and more about visibility of what’s on that network and traffic analysis of how those devices are communicating with each other,” Webb added.
Connelly is hopeful that Federal guidance will only continue to “build the momentum” for zero trust implementation at the agency level.
“The lesson learned – I think this is key from what OMB has done with their memo – is recognize that we need to start small and we need to start … but we can’t start broadly across everyone,” Connelly said.
For the entire conversation, please access the complimentary webinar here.