Now that the Office and Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) have released their new directives for Federal civilian agencies to move to zero trust security principles and expanded cloud adoption, what are some near-term steps that Federal IT and cybersecurity officials should think about as they get ready to put those directives into action?
To find out, we spoke with Sean Connelly, Trusted Internet Connections (TIC) program manager and senior cybersecurity architect at CISA, and John Simms, senior technical advisor at the agency, for a rundown on how agencies can best engage in the process, especially as both the OMB and CISA zero trust and cloud guidance are in draft form, and subject to change based on public comment.
The key guidance documents released earlier this week are OMB’s Federal Zero Trust Strategy draft, CISA’s draft Zero Trust Maturity Model, and the Cloud Security Technical Reference Architecture (TRA) draft prepared by CISA, the U.S. Digital Service, and the General Services Administration’s FedRAMP program. The comment deadline for Federal Zero Trust Strategy draft is September 21, while CISA is taking comments on the other two through October 1.
Impactful Comments
The first step for Federal agencies who will have to execute on the policy directives, Connelly said, is to get familiar with their contents, and then submit comments to improve them.
“We are open and listening,” Connelly said. “We are open to feedback from the public, academia, industry, agencies – really anyone. We really want to make sure we have the message out loud and clear.”
If recent history on security policy drafts is any guide, comments to the agencies are likely to have an impact on the drafts. Connelly – whose office at CISA is the driving force behind development of TIC policy – recounted that comment solicitations on previous TIC guidance documents have resulted in a doubling of their size.
Asked about feedback on the CISA-authored guidance documents so far, Connelly noted that the maturity model draft had already been vetted privately with Federal agencies beginning in June, with positive feedback but also requests for more technological descriptions, among other items.
Connelly said CISA is particularly interested in public feedback on the cloud TRA guidance, as it was prepared by three different organizations. “I’m really curious about the response to this co-authored document … with three authors and three different tones.” He added, “so far, it’s positive feedback.”
Evaluation and Repurposing
Asked about first steps agency tech leaders should take in diving into the guidance drafts, Simms advised that “the first thing to do is to really take a step back and understand the systems in terms of the major applications that agencies are looking to apply zero trust to.”
He said the migration to zero trust “is not intended to be a one size fits all, because clearly not every system needs to be secure to the same degree.”
And he advised agencies to “take the incremental steps of not only understanding the way systems are communicating with each other, [but also] how users are interacting with systems. Those are some of the key first steps.”
“A lot of agencies should really take stock in capabilities that they have right now, that they’re using in their enterprise to support cybersecurity,” Simms said. Existing capabilities, he said, “can be recast or repurposed to align more specifically with zero trust,” and he advised agencies to consider those possibilities “before they go buy new solutions or capabilities.”
CDM, TIC Offices Are First Stops
Simms said that CISA already has open doors for agencies to make contact and get working on the zero trust and cloud adoption directives.
“I think the biggest thing is for the for the agencies to contact their project managers at the Continuous Diagnostics and Mitigation (CDM) program, and contact us at the TIC program office to start having those conversations,” Simms said.
“A lot of times we engage on programs here at CISA through the TIC program because I think a lot of agency representatives see the TIC program as that gateway for talking about cloud security in particular,” Simms said. “But also with zero trust they see how we’re looking to shift the perimeter protections to a more flexible framework. That’s one way that we’d be able to support agencies to start those conversations.”
Parallel Paths
Connelly also talked about the parallel and sometimes interwoven paths of cloud adoption and migration to zero trust security principles, and how agency officials might look at those as separate but joined.
“I think this is an interesting time because they started out different paths but they are certainly complimentary to each other,” he said.
“With the migration path that’s identified in the zero trust architecture within these documents, the first few steps are identify the roles, identify the assets, and identify the processes, but it’s the same thing with zero trust,” he said.
“The first steps are to identify the transaction flows, and that really doesn’t mean only technical data flows themselves, but who need to talk to who, and which offices need to support each other so there are complimentary or line steps between them.”
“And with migration … that is readjusting to the cloud or reshaping, or moving to a container refactoring, or reimagining what they can do with cloud service, a lot of opportunities are available, simply because those principles of zero trust – least privilege, credential access, building context to monitoring – the cloud offers this in a way that wasn’t available in the traditional on-prem legacy environments,” Connelly said.
On-Prem Zero Trust
Simms explained that moving to zero trust security principles does not necessarily mean moving to the cloud, and that zero trust can also be accomplished with on-prem systems.
“If you look at some of the basic characteristics of what you would do to start employing zero trust capabilities in an on-prem environment, we know that a lot of the agency networks are generally flat, where you have most your security capabilities on the perimeter and facing the internet,” he said.
“Bringing those capabilities and that architecture in to support segmentation of networks – but more specifically around services and major applications to protect data – those are some very straightforward steps that can be taken in on-prem environments to start to protect those systems and zero-trust fashions,” Simms said.
“As we mentioned before, it’s not a one-size-fits-all,” he continued. “You would not take an entire agency data center and employ a full suite of zero trust principles to every application … it needs to be done in a planned, methodical way based on the risks and attack surfaces of the applications and data.”
Friction Control
Finally, Connelly emphasized the government’s big-picture aims in the zero trust migration.
“What we are trying to with zero trust – on the one side, we’re trying to create less friction for users,” he said. “We’re trying to make it easier for them to connect to their services, move more towards single sign-on, and less hoops or hurdles that the user has to get past to get to their data.”
“On the flip side, we are trying to create more friction for the adversary to access that same data,” he said. “I think that’s the prime reason we’re looking at zero trust – It’s a modern architecture, a modern smarter solution for today’s modern environments and the modern adversaries that we are seeing.”
“Looking at the capabilities of zero trust and how it works together to provide access to applications and data, it’s also about obtaining more visibility, more orchestration, and more policy enforcement and policy decisions in terms of what users can and cannot do on those systems,” Simms said.
“I think that you don’t have to look too far to look at how many high-value assets agencies have on their networks or in their cloud environments to know that there’s a significant amount of sensitive data that’s critical to the agency that needs to be protected appropriately, and I think that’s very consistent with what is espoused with zero trust principles,” he said.