A senior Cybersecurity and Infrastructure Security Agency (CISA) official provided an update this week on agency-level activity in their migration toward zero trust security architectures mandated by President Biden’s 2021 cybersecurity executive order and subsequent guidance documents issued by CISA and the Office of Management and Budget (OMB).
Speaking at ATARC’s Zero Trust Summit on August 9, Sean Connelly, Trusted Internet Connections (TIC) program manager and senior cybersecurity architect at CISA, pointed to ongoing agency work on the identity pillar of zero trust. He also said agencies were at work toward meeting deadlines to migrate or create at least one FISMA-moderate system that is newly accessible over the public internet without relying on a virtual private network (VPN) or other network tunnel.
“On the zero trust strategy” published earlier this year by OMB, “the first pillar is identity [with] a loud and clear call from OMB that agencies can move away from PIV [personal identity verification credential]-only,” he said.
“OMB is talking about how FIDO [protocols that use standard public key encryption] is now going be considered,” he said. “I like how [OMB Senior Advisor] Eric Mill puts it – that we recognize PIV has a certain fragility to it.”
“So now we can start to use a modern identity access solution,” Connelly said. “There’s a lot of momentum around the identity pillar.”
Connelly also touched on how Federal agencies are required to move toward creating at least one FISMA-moderate system for the next year.
“There’s a lot of focus on talking to agencies,” about what that step really means, he explained.
“Some agencies are full-bore, they understand what this is and they’re moving forward,” he said. “Other agencies we have to discuss with them what the possibilities are, how they can move their systems to the cloud.”
“It’s clear that that’s pushing agencies forward in both tactical and strategic ways,” Connelly said.
Elsewhere during his remarks, the CISA official talked about the importance in the zero trust push of the General Service Administration’s FedRAMP program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services that government agencies can use.
“We have FedRAMP modernization going on, and we continue working with the FedRAMP team,” Connelly said.
Also through the FedRAMP program, “we’ve seen the number of FedRAMP High baselines are starting to be accelerated as agencies are moving the most sensitive data to the cloud,” he said.
“It’s critical that the vendors are able to provide these types of services to help agencies as they move to TIC 3.0 and SASE-type solutions,” he said.
Separately, recently announcing one such FedRAMP High Authority to Operate is cloud security provider Zscaler, which said earlier this month that its Zscaler Internet Access (ZIA) service received that designation.
The company said the FedRAMP High ATO enables its ZIA service “to meet the requirements of civilian agencies with high-security requirements, as well as Department of Defense (DoD) and intelligence organizations.”
The new certification currently makes ZIA the only Secure Access Service Edge (SASE) TIC 3.0 solution that has achieved FedRAMP’s highest authorization – which means it has “undergone rigorous audits of critical security controls to protect the government’s most sensitive unclassified data in remote cloud computing environments,” Zscaler said.