Zero Trust Implementation for Cybersecurity Requires Short-Term Execution Tied to Long-Term Vision
Federal agencies and their partners are engaged in a continuous and ongoing dialog about improvements to our cybersecurity posture. I am heartened by the fact that there is such continued focus on the topic and accelerated momentum in implementing improvements. With the January 26th release of OMB Memorandum M-22-09, and the release of the draft National Security Network Advisory Committee (NSTAC) Draft “Report to the President: Zero Trust and Trusted Identity Management” last week, I wanted to take the opportunity to emphasize certain recommendations from the draft report and to share what I am hearing from my colleagues in industry and government as to the challenges and opportunities associated with the implementation of zero trust.
The NSTAC draft report contains twenty-four recommendations and identifies nine of those as a priority for agency implementation. The nine priority recommendations, from my perspective, fall into three categories: governance, standards, and shared services.
It is important to address governance at the outset, as it is key to a successful long-term federal enterprise implementation of zero trust. The NSTAC draft report states the need to establish a whole-of-government approach and to manage implementation at an enterprise level, complete with all the expected governance elements. Those elements include, at a minimum, an enterprise program management office (PMO), a reporting and accountability structure, a unified plan, and oversight from appropriate stakeholders. If this structure is not in place, we risk the real possibility of agencies pursuing individual transactional improvements without the benefit of a clear vision.
In a conversation regarding this topic with Francis Rose on The Daily Scoop this week, I referred to the fact that there is already precedent for this enterprise model. The Continuous Diagnostics and Mitigation (CDM) program and its PMO were established within the Department of Homeland Security/CISA to ensure a set of cybersecurity improvements were met from a government-wide perspective. The program was legislated by Congress, with appropriated centralized funding and a mandate to build an enterprise implementation plan inclusive of all agency activity. In addition, the CDM PMO executed a centralized acquisition strategy and established shared services for agencies to use. OMB and DHS held periodic progress reviews with agencies and reported to Congressional stakeholders as required -- there is already a baseline of cyber reporting and what is added should indeed be minimal.
Both FISMA and FITARA have recently been the subject of legislative revisions, so there is a very real and timely opportunity to rationalize all cyber reporting requirements, avoiding any additional burden and ensuring that all measures are congruent. Finally, all this activity must be underpinned by best practice frameworks, maturity models, and playbooks, and ultimately codified in NIST standards.
Establishing governance, standards and shared services will focus us on the long-term vision, but agencies are already in the throes of implementing the short-term requirements of zero trust. In discussions with my government and industry colleagues, some common and unsurprising challenges are emerging. The bottom line is that zero trust has at its center the concepts of data architecture and identity and access management. The incorporation of the principle of “least privilege access” requires that agencies understand their data and data flows, and how employees, external partners and customers interact with that data. This fundamental foundation must be established to correctly classify the protection level required for data and to develop appropriate fine-grained permissions for access. This foundation is also necessary to take full advantage of the tools and analytics that can accelerate and augment the implementation of zero trust.
Most importantly, establishing an effective data architecture and identity and access management ruleset is work within the purview of the agency personnel who best understand the mission and data within their portfolios. My observation is that most agencies have not completed this work in its entirety, but must do so to move forward with speed. The good news is that the Foundations for Evidenced-Based Policy Act has already established the imperative for CIOs, CDOs and Program Executives to work together to understand and make best use of their data for policy making, mission execution, and program performance/ management. In parallel to establishing a data and access baseline, agencies can take best advantage of technologies and toolsets to improve operational cybersecurity. Some examples of approaches available include data discovery and classification tools, identity proofing that incorporates biometrics and behavior, and technology that assists with establishing data provenance and tracking data flows.
In conclusion, federal agencies can start with the basics of understanding their data portfolio and integrating that data with appropriate access. It is the most cost-effective way to gain traction. This is not glamorous work, but it is key to success. At the same time, an overarching governance approach needs to be established to integrate and guide all agency activities for long-term success.
** Margie is also a member of the Center for Government Cybersecurity Advisory Board.