NSA offers new tips on zero trust and identity

NSA officials provided new recommendations on building zero trust maturity through identity management in an information sheet released Tuesday.

NSA officials provided new recommendations on building zero trust maturity through identity management in an information sheet released Tuesday. JuSun / Getty Images

Weaknesses in identity and access controls are allowing cyber attacks to happen, NSA officials say. A new tip sheet is meant to help national security systems mature their controls.

The National Security Agency has new recommendations on identity, credential and access management security controls and their role in zero trust architecture. 

The cybersecurity information sheet, released Tuesday, builds on previous NSA guidance on zero trust with more specifics for what it calls the “user pillar” focused on managing access. 

Although the information is intended for owners and operators of national security systems — including defense and intelligence agencies, but also contractors in the space — zero trust has been a cybersecurity focus for federal agencies since at least the beginning of the Biden administration. 

Government agencies were called to make plans for zero trust architecture in an executive order released by President Biden in May 2021. National security systems also got zero trust orders via a 2022 memo.

The White House defined zero trust as an architecture that “requires continuous verification of the operational picture via real-time information” in the order, meaning establishing IT systems that both monitor user behavior on networks and segment access in an effort to mitigate potential cyber attacks.

NSA’s model delineates zero trust into seven pillars: user, devices, applications & workloads, data, network & environment, automation & orchestration and visibility & analytics.

Within the user pillar, the information sheet details the capabilities needed for zero trust, including identity management, credential management, access management, federation to ensure system interoperability and governance around continuous improvement.  

The report goes through capabilities and maturity levels for identity, credential and access management, as well as identity federation, in what it says is a maturation of existing ICAM architecture for federal agencies in line with the zero trust model.

The new information sheet points to recent breaches and cyber attacks done by exploiting weaknesses in identity and access controls. In 2021, the Colonial Pipeline ransomware attack was perpetrated via a compromised password for a virtual private network that didn’t have multi-factor authentication in place. The 2015 data breach of personnel records at the Office of Personnel Management occurred via compromised credentials. 

“Malicious cyber actors increasingly exploit gaps and immature capabilities in the identity, credential, and access management of our nation’s most critical systems,” said Kevin Bingham, NSA’s zero trust lead said in a statement. “Our report provides recommendations that will help system operators strengthen identity protections to limit the damage of future compromises.”

NSA is also planning to release more information sheets meant to “help organize, guide and simplify incorporating zero trust principles and designs into enterprise networks,” according to the new cybersecurity information sheet.