Zero Trust Could Become an 'Incomplete Experiment' Without Permanent Office, Advisors Warn

The Cybersecurity and Infrastructure Security Agency should be home to a new office on the implementation of zero trust principles, according to the National Security Telecommunications Advisory Committee.

The program office would be “for federal civilian agencies to host implementation guidance, reference architectures, capability catalogs, training modules and generally serve as a civilian government knowledge management center of excellence for zero trust,” according to a new NSTAC report. “To the extent practicable, the proposed civilian program office should coordinate and share best practices with the recently established Department of Defense Zero Trust Program Office.”

That’s one of several recommendations the committee of major industry representatives, tasked with advising the president, unanimously approved during a meeting Wednesday. The committee said while the Office of Management and Budget’s Federal Zero Trust Strategy is appropriately projected over a 2.5 year period, the government should do more to ensure identity management and zero trust initiatives are comprehensively implemented for the long run. 

“Absent additional significant action, the U.S. Government risks zero trust becoming an incomplete experiment—a collection of disjointed technical security projects measured in years—rather than the foundation of an enduring, coherent and transformative strategy measured in decades,” reads a new report from the NSTAC.

Other recommendations include having the chief information security officer and the national cyber director coming up with zero trust metrics and reporting requirements, creating a CISA zero trust shared security service for internet-accessible asset discovery and advancing zero trust at international standards bodies.  

The report is the second of three the National Security Council asked the group to complete. In November NSTAC recommended agencies invest in automating software assurance. Next the committee will examine the convergence of information technology and the operational technology used in industrial control systems.