CISA predicts cyber EO will drive progress on zero trust

Most agencies are just getting started creating plans around zero trust, but tight deadlines featured in President Joe Biden's cybersecurity executive order and a wave of new guidance, may speed up implementation across the entire government.

zero trust concept (deepadesigns/

Federal officials said Wednesday they see a path to "meaningful progress" on zero trust across government agencies in three years with the help of tight deadlines featured in President Joe Biden's cybersecurity executive order.

Most agencies were just beginning to create zero trust implementation plans in response to a 60-day deliverable within the cyber EO, according to Matt Hartman, deputy executive assistant director for Cybersecurity and Infrastructure Security Agency (CISA), who spoke at an ACT-IAC panel about the order's impact on improving national cybersecurity.

The White House had already begun collaborating with CISA and other relevant offices ahead of the May 12 order to release new guidelines around the use of advanced security systems. The interagency collaboration was a critical part of an ongoing effort to get various agencies up to speed, including those that had not yet begun developing any plans around zero trust, Hartman said.

"It's important to consider that many of these tasks [in the executive order] are sprints to develop strategies," he said. "The administration fully recognizes that many of the core issues being addressed will only be solved through years - literally years - of focus and continued investment."

The National Security Agency (NSA) released guidance for zero trust security models ahead of the executive order in late February, providing recommendations for implementation and describing the zero trust security model as "a coordinated system management strategy that assumes breaches are inevitable or have already occurred."

CISA also developed a zero trust maturity model in recent weeks for agencies seeking clarity on what key targets can be used to determine progress across five pillars: identity, device, network, application workload and data. A CISA representative later told FCW there was "nothing to share publicly at this time" on the zero trust maturity model document.

National Security Council (NSC) Director for Cyber Incident Response Iranga Kahangama said the timelines featured in the order were "aggressive but achievable." He also described the order as an authoritative document providing clarity about the direction and speed at which the White House aimed to achieve zero trust and an improved national cyber posture.

"I think we realized with the federal government and its complexity, it's going to take a winding path for each agency," he said. "But what we wanted to do was really send a signal to the whole bulk of government and to industry that this is where we're going."

A tranche of deadlines – those 60 days out from the issuance of the order -- are looming. By July 11, agencies need to submit plans and milestones for implementing zero trust architecture and report on these efforts to the Office of Management and Budget and the deputy national security adviser for cybersecurity – a position currently held by Anne Neuberger.

Despite the aggressive deadlines included in the cyber order, guidance around zero trust has been drafted to provide agencies with some flexibility around their own implementation timeframes. Hartman said CISA and the White House were working to develop "many enduring plans with additional milestones" by the 90-day benchmark included in the executive order around zero trust. At that time, OMB is due to issue cloud security guidance to push agencies toward zero-trust architectures.