Earlier this year, the Cybersecurity and Infrastructure Security Agency published revised guidelines for modernizing cybersecurity capabilities and protecting critical infrastructure within the U.S. federal government. CISA’s Zero Trust Maturity Model 2.0 was released just 18 months after unveiling the original roadmap. The revised guidance encompasses the implementation of Zero Trust across five key pillars: identity; devices; networks; applications and workloads; and data.
Under normal circumstances, putting out new guidelines to steer the implementation of a major, governmentwide security program wouldn’t happen so quickly. Measured against the typical pace of governmental change, CISA acted at breakneck speed. This quick and decisive action comes at a time when cybersecurity has become a high-stakes government mission.
CISA’s director, Jen Easterly, recognized that some federal civilian agencies are struggling to meet the September 2024 deadline for implementing a plan for Zero Trust architecture – a requirement of the administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity. Her action further acknowledges that cybersecurity has become a cornerstone of national security. As cyber threats escalate, bolstering the security of critical IT infrastructure must be a priority.
Crawling Toward Compliance
Agencies are learning that the shift from perimeter security to Zero Trust architecture is a major undertaking. The revised guidance seeks to further help agencies navigate the transition. Updates made to CISA’s roadmap attracted almost 380 comments from industry and public sources, which CISA used as a platform for advancing the public-private partnership.
The feedback indicates that progress toward the 2024 deadline varies among agencies, with some having trouble getting started. Changes to the guidance, including the addition of a new level of progress, seek to boost agencies as they build momentum toward compliance.
That process was initially predicated on the idea that agencies in transition must walk before they can run. Now, with the release of its updated roadmap, CISA is saying that on the road to change, some agencies will be able to walk only after learning to crawl.
To Get There Faster, Start with Data
Regardless of how much progress an agency has made toward Zero Trust compliance, taking these 8 steps will help to move them in the right direction to improve security:
1) Assess existing technology and evaluate its capacity to help with meeting security requirements right away. For agencies preparing to crawl, understand your tech stack. Inventory the enterprise and understand current data collection. Do you need additional data – network data, log data, endpoint data – to strengthen your security posture? Can everyone who needs data to perform their missions access it?
2) Do a crosswalk of technology and data. Crosswalks improve interoperability among metadata to facilitate the exchange of records. Analyze needs and understand requirements, being clear about what can be met with current resources.
3) Get staff on board and train everyone to understand what is changing with the shift to Zero Trust. Encourage them to learn new skills and ways of operating in a Zero Trust environment.
4) Rally everyone to focus on a common data set and to understand its security value. Do your logging and data storage capabilities centralize everything and make data accessible? Some successful cyberattacks have occurred because security teams didn’t have the actionable data needed to thwart attackers.
5) Educate teams on the difference between complying with requirements and being cybersecure. This is too important to simply check the box.
6) Ensure that the implementation of Zero Trust doesn’t detract from your agency’s mission. Similarly, Zero Trust shouldn’t be cumbersome to use and maintain. If it’s not user-friendly, people will find ways to check the compliance box while working around the spirit of Zero Trust.
7) Don’t allow legacy IT to be a showstopper. Comments received by CISA suggested that legacy infrastructures built on implicit trust were impeding the rollout of Zero Trust architectures. Make progress where you can. Capture data in legacy systems, for example, and combine it with data from other sources to meet the requirements of Zero Trust.
8) Leverage tools already in your technology stack or acquire low-cost tech to meet specific needs. It’s important to establish a culture and framework to support Zero Trust.
Among the many components of a Zero Trust architecture, data is the key to successful implementation. CISA’s pillars of Zero Trust rely on the availability of robust, trusted data to verify users and devices, monitor networks, and secure applications and workloads. Being able to automate information collection, such as logging data, and centralize it for easy access is a good place to start.
John Harmon is Regional Vice President of Cyber Solutions at Elastic, a provider of search analytics and cybersecurity services to companies and governments.
Have an Opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET and Federal Times Senior Managing Editor Cary O’Reilly.