On May 12, President Biden signed a cybersecurity Executive Order (EO) aimed at improving efforts to “identify, deter, protect against, detect, and respond to these actions and actors”.
The order aims to improve federal security practices and threat intelligence sharing amongst federal agencies and the private sector; enhance software supply chain security, and improve federal security incident response. The impact of this order will ultimately extend beyond federal agencies, impacting vendors who directly support the government, and then passing on those requirements and features to their customer base. Central to the order is the implementation of zero trust security measures in all Federal agencies.
Cisco is proud to be a member of the Joint Cybersecurity Defense Collaborative, and is committed to improving the security of our entire community. We believe that zero trust principles and technologies will have positive impacts on the federal cybersecurity posture. We have reviewed and provided feedback to the draft documents that have been produced by the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA), including:
- OMB: Zero Trust Strategy
- CISA: Zero Trust Maturity Model
- CISA: Cloud Security Technical Reference Architecture
Each document serves a different purpose, with a different audience. Taken together, they form the basis of a zero trust foundation that agencies can use to implement and accelerate their zero trust strategies. Cisco has made enhancement suggestions to the authoring agencies, and there are some common themes across the three documents:
Consistency: Although each document speaks to a different primary audience, they should work in concert, adding to a common understanding of how and why to implement zero trust. In their current form, there are inconsistencies between them, for example the maturity model has different pillars than the strategy document. Variations like this will only serve to confuse implementers and delay progress. The final documents should be rationalized against each other.
Metrics and Measures: Our experience both internally and with customers shows that the zero trust journey is never complete, but instead becomes a way of operating. Leadership will need ways to measure not only the implementation of zero trust technologies, but also how effective the zero trust strategies are in mitigating and responding to threats over the long run. Each document should provide guidance on what and how to measure agency zero trust efforts. Consideration should be given to align these metrics to Federal Information Security Modernization Act (FISMA) and other existing security guidance requirements.
Risk-Based Approach: Zero trust cannot be imposed on an agency immediately, so choices must be made as to where to begin, and in what order to apply architectural elements. Given the current threats facing federal agencies, we recommend CISA be more prescriptive, based on known threats, as to where to focus first. This should be reflected in all three resources, and particularly the Strategy and Maturity Model documents. For example:
- Ransomware: Evaluating zero trust controls through the cyber kill chain, and requiring those controls be implemented first.Calling out MFA is a good first step, but items such as continuous monitoring of device health to detect malicious software, as well as securing email security architectures, would go a long way to minimizing the impact of ransomware first.
- Misuse of Legitimate credentials: Malicious insiders or not, the misuse of legitimate credentials remains a high risk area for government agencies. Leveraging least principle philosophies along with zero trust architectures such as network segmentation and east-west traffic monitoring will support controlling for this kind of threat.
Use Cases: Readers of these documents will benefit from having real world examples on which to model their own strategies. The maturity model begins to introduce use cases, but more can be done there, and use cases should be added to the other documents as well. Guidance should also be provided for use cases of assets that cannot be integrated into a zero trust architecture. Using practical examples of zero trust implementation will assist agencies to better define the architectures they need and to prioritize their deployments.
Leadership: All three documents are targeted at IT and Security teams within federal agencies. For security programs to be successful, full engagement is required from agency leadership. Additionally, implementation of zero trust principles will result in changes to the way the entire agency works, and will change risk tolerance for all agency employees. This effort must be visibly supported by non-technical agency leadership. These documents, particularly the strategy document, should make this clear.
Cisco is encouraged by the progress being made by the Federal government to strengthen their cybersecurity posture. The draft documents listed above are a tremendous addition to the existing cybersecurity resources available to agencies and their supply chain partners. We look forward to continuing our partnership with CISA, OMB and other agencies, and appreciate the opportunity to provide recommendations to improve these resources.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
CONNECT WITH CISCO