Agencies face ‘inflection point’ ahead of looming zero-trust deadline, CISA official says
As federal agencies race to hit a White House deadline to submit updated zero-trust implementation plans next week, a top Cybersecurity and Infrastructure Security Agency official said she’s seen promising data leading up to that “inflection point.”
Speaking Wednesday at CyberScoop’s CyberTalks event in Washington, D.C., Shelly Hartsook, acting associate director of CISA’s Cybersecurity Division, said more details on agencies’ progress with zero-trust implementation would be available after they submit updated plans by Nov. 7 with the Office of the National Cyber Director and the Office of Management and Budget. But CISA has seen encouraging data in the aftermath of OMB’s 2022 zero-trust memorandum and stands ready to help agencies with additional implementation tasks.
“In this inflection point, as we’re transitioning from that initial policy rollout into sustained implementation, CISA is also taking a more central role to this work,” Hartsook said. “First and foremost, we’ve been asked by the White House to really lean in on reviewing those implementation plans, being able to report out where we are, look at agencies and be able to meet them across their journey, and really taking a close look at gaps in CISA’s services so that we can offer more to agencies and be more of a force multiplier.”
The updated plans due next week are expected to detail implementation on “all information systems” in use by agencies, per OMB’s July memo, while also documenting current and target maturity levels in all five of CISA’s zero-trust pillars for “high-value assets and high-impact systems.”
Additional details will be provided to agencies “in the next day,” according to Mike Duffy, the acting federal chief information security officer. Duffy said OMB, the Federal CISO Council and the Federal Chief Data Officers Council are set to release a federal zero-trust data security guide that walks through some of the next steps agencies should take.
“It’s an important step forward for both councils, working together from the data side and the security side, tackling something that is critically important for artificial intelligence and vital for zero-trust maturation, which is, how do we identify and secure data?” Duffy said.
“It is one of the pillars in the zero-trust maturity model that has always been a challenge for large organizations,” he continued. “It is something that we as a government now have a way to wrap our arms around it through this guide. This was forecasted in 2022 as we thought through that policy for zero trust, that this guide would be important at this particular moment. And we’re excited to have that.”
At least some of that excitement can be attributed to data collected since OMB’s initial memo. Hartsook said between the fourth quarter of fiscal year 2021 and the fourth quarter of last year, agency implementation of multifactor authentication jumped from 53% to 80%, while phishing-resistant MFA increased from 46% to 71%.
“Those numbers are even more impressive if you think about the fact that we actually redefined the way the government was looking at MFA,” Hartsook said. “For many, many years, it was focused on the individual, whether or not they had a pin credential, and whether or not they were using that credential to log onto the network. And we flipped the script on that and really started looking at the specific systems and applications and whether or not we were putting our strongest protections at our most important assets.”
Additionally, Hartsook said there are 99 agencies that have implemented an appropriate endpoint detection and response tool, and of those, 78 exceeded a threshold of 90% or higher coverage across endpoints.
As those positive data points have trickled in, Hartsook said CISA has leaned more into training efforts, conducting 10 workshops for cyber staffers that were “consistently getting 600 participants or more,” in addition to opening up an “extensive public comment period” for the agency’s zero-trust maturity model.
Going forward, Hartsook said CISA is partnering with the Cloud Security Alliance on additional training programs, and is in the process of developing more “targeted, practical implementation guidance,” focused in part on micro-segmentation and the application of zero-trust operational technology.
“Every step, every action that we take towards zero trust is a step towards bolstering our national security,” she said. “We must continue to move towards a model that, even if adversaries are able to get inside of our environments, which increasingly they are, that we can find them faster, that we can keep them from moving around, that we can stop them from establishing persistence and achieving their aim.”