The Cybersecurity and Infrastructure Security Agency highlights the services it will make available to agencies so that they can achieve the goals of the new zero-trust security architecture.
CISA’s Zero Trust Maturity Model project, released this week, is not entirely new. Sean Connelly, responsible for the Trusted Internet Connections program at CISA, said CISA sent the document to agencies in June, shortly after President Joe Biden’s cybersecurity executive order in May ordered agencies to propose zero trust implementation strategies.
“The agencies were just asking for quick relief, quick guidance on how to build zero trust,” Connelly said in a Sept. 8 event produced by NextGov. “There are a number of maturity models, both on the supplier side and on the [Defense Department] side. But we built ours more on the civilian side.
The Office of Management and Budget calls on agencies to achieve a zero-confidence level of maturity by the end of fiscal 2024.
CISA is now seeking comments on the maturity model until October 1. The agency is also seeking comments on a new cloud security technical reference architecture document before the same deadline.
The maturity model is built around the five “pillars” of zero trust also endorsed by the OMB: identity, device, network / environment, application workload and data. It also describes the stages of maturity for each pillar, starting with “traditional”, then “advanced” and finally “optimal”.
For the “identity” pillar, for example, a “traditional” maturity stage includes the use of passwords and multi-factor authentication and “limited risk assessment”, while an “optimal” approach involves a “Continuous validation” and “real-time machine learning analysis”.
And for each pillar, the document highlights current and future CISA services and offerings that agencies can use to achieve zero trust maturity.
“We are integrating some of the CISA services,” Connelly said. “They are either there today or potential CISA services that we will support or tentatively offer later, so agencies can understand as we build the maturity model, where agencies can leverage CSIA services.”
He cited advanced domain name system protection services as an example of the offerings CISA will make available “over the next year”.
“This would be a strong service that agencies should know about as part of the network pillar of the zero trust maturity model,” he added.
On the data side, the draft maturity model indicates that future interim CISA offerings include “readiness surveys to assess the maturity of the zero trust pillars in agencies”.
“CISA will provide agencies with unique zero-trust maturity feedback on these investigations, and agencies can use that feedback to identify gaps and prioritize data protection,” the document said.
The project notes how adopting zero trust “will require the commitment and cooperation of senior management, IT staff and users across the federal government to effectively achieve design goals and improve cybersecurity posture. “. He says the same also applies to the cloud adoption mandated by Biden’s Executive Order.
“This federal government’s cybersecurity modernization will force agencies to migrate siled and siled IT services and staff to coordinated and collaborative components of a zero trust strategy,” the document said.
The infiltration of SolarWinds’ supply chain, recent ransomware events and other cyberattacks have formed a crisis that is prompting the government to act on cybersecurity, especially in ‘consolidation’ and ‘fulfillment’ efforts. programs ”that might not have been possible before, according to André Mendes, director of information at the Ministry of Commerce.
“The big agencies need to come together like Commerce did to make an effort,” Mendes said at the NextGov event. “If they’re going to have resource problems, they’re going to have resource problems because they will have multiple efforts. I think it is the responsibility of the agency’s CIOs and [chief information security officers] get everyone, all offices and everyone, and basically say, “This is what we need to do. “