The agency has already released a draft model to guide agencies implementation of the concept under a recent executive order.
The White House is working on a strategy to boost organizations’ use of security systems that look for threats within networks, in addition to guarding the perimeter, according to a Cybersecurity and Infrastructure Security Agency official.
CISA Deputy Executive Assistant Director Matt Hartman said while working to create a model to guide federal agencies’ implementation of zero trust, as the practice is known, “we have partnered closely with [the National Institute of Standards and Technology], we have worked closely with [the National Security Agency] and others on this, closely with the White House as they're going to be putting out a strategy.”
Hartman participated in an event Meritalk hosted Tuesday on a May 12 Executive Order that gave agencies 60 days to develop zero-trust implementation plans, with a particular focus on cloud migration.
He described a document CISA shared with agencies last week as an attempt to clarify the principles of zero trust and provide options for steps they can take in what is expected to be a long and ongoing process.
The draft model CISA developed consists of five pillars— identity, device, network, application workload and data—with markers along three stages toward achieving a mature zero-trust architecture, Hartman said, stressing continual identity verification as core in a security system that assumes a breach has already happened.
“We've provided them with targets in each maturity stage,” he said, “so taking identity as an example, since it is widely accepted that optimizing identity is a major component to achieving zero trust, agencies will move from traditional, which includes the use of passwords or [multi factor authentication] and limited risk assessment, to advanced, which includes fully implemented MFA and some identity federation with cloud and on premises systems, to optimized, which really includes continuous validation and real-time machine learning analytics.”
Procurement personnel are already feeling pressure from industry vendors to move forward on technology to facilitate zero trust, such as end point detection and response offerings, but current and former officials participating in the event urged caution.
“We appreciate our partners and understand this pressure,” Hartman said, noting CISA’s guidance is designed to allow agencies with vastly varying budgets to move at their own pace. “This is the way it should work rather than just jumping straight into hundreds of millions of dollars of procurement actions. We want to be as transparent as we can and we want to move as quickly as we can in a measured fashion.”
Former CISA Assistant Director for Cybersecurity Bryan Ware anticipated deciphering the real deal amid a gazillion entities claiming to offer zero trust solutions will be a major challenge for the government.
“I think what's going to be really hard for departments and agencies, and for CISA, is trying to cut through the hype,” said Ware, who is now president of Next 5. “We don't want to spend years in zero trust strategy before we get to zero trust implementation and execution but if we move too fast, you know, buying what's on the back of the box, I think there'll be a lot of misses and mis-deployments.”
There are two other important reasons to control the number of vendors allowed to serve the federal enterprise, he said. One is the fact that reaping all the benefits of zero trust will be based on large-scale data analysis to pick up on suspicious activity such as strange log in locations or other anomalous traffic patterns.
“All this visibility is going to mean the federation of data across departments and agencies,” he said. “The more products there are in the market, the harder it's going to be to federate and normalize that data.”
At the same time, Ware is wary about the temptation to rely on a single vendor. “We probably don't want to put all our eggs in one vendor solution,” he said, suggesting “more than one, less than four seems like the right number of vendors for EDR, or for cloud analytics and so forth.”
Ware recommended agencies use CISA’s Cybersecurity Quality Services Management Office Marketplace to identify appropriate vendors and used the event that prompted the executive order—which extended beyond the breach of IT management company SolarWinds—to provide an example of the importance of vendor diversity.
“There's going to be a tendency I think for departments and agencies to really want to double down on a single vendor and I'd just be really cautious about that, particularly on the cloud side. I mean we're coming out of an incident that we call the SolarWinds incident but really, in that incident we saw the adversary pretty much completely own the Microsoft platform,” Ware said. “That's an area where I'd like to see some diversity in, both the cloud vendors, but also diversity in the, in the detection technologies, and the identity technologies to just make sure that … we have as much visibility as we can and as much scalability as we can and that we don't make the adversaries’ job too easy for them by having that monoculture in the, in the.gov.”
Speaking at a separate event earlier on Tuesday, CISA’s National Risk Management Center Director Robert Kolasky also mentioned Microsoft in giving another reason to aggregate the government’s buying power, as the executive order aims to do.
“Hell we all rely on Microsoft,” he said. “How much leverage does any one of us have on Microsoft, right? So, you know, it's figuring that mix out.”