Cybersecurity

CISA predicts cyber EO will drive progress on zero trust

zero trust concept (deepadesigns/Shutterstock.com) 

Federal officials said Wednesday they see a path to "meaningful progress" on zero trust across government agencies in three years with the help of tight deadlines featured in President Joe Biden's cybersecurity executive order.

Most agencies were just beginning to create zero trust implementation plans in response to a 60-day deliverable within the cyber EO, according to Matt Hartman, deputy executive assistant director for Cybersecurity and Infrastructure Security Agency (CISA), who spoke at an ACT-IAC panel about the order's impact on improving national cybersecurity.

The White House had already begun collaborating with CISA and other relevant offices ahead of the May 12 order to release new guidelines around the use of advanced security systems. The interagency collaboration was a critical part of an ongoing effort to get various agencies up to speed, including those that had not yet begun developing any plans around zero trust, Hartman said.

"It's important to consider that many of these tasks [in the executive order] are sprints to develop strategies," he said. "The administration fully recognizes that many of the core issues being addressed will only be solved through years - literally years - of focus and continued investment."

The National Security Agency (NSA) released guidance for zero trust security models ahead of the executive order in late February, providing recommendations for implementation and describing the zero trust security model as "a coordinated system management strategy that assumes breaches are inevitable or have already occurred."

CISA also developed a zero trust maturity model in recent weeks for agencies seeking clarity on what key targets can be used to determine progress across five pillars: identity, device, network, application workload and data. A CISA representative later told FCW there was "nothing to share publicly at this time" on the zero trust maturity model document.

National Security Council (NSC) Director for Cyber Incident Response Iranga Kahangama said the timelines featured in the order were "aggressive but achievable." He also described the order as an authoritative document providing clarity about the direction and speed at which the White House aimed to achieve zero trust and an improved national cyber posture.

"I think we realized with the federal government and its complexity, it's going to take a winding path for each agency," he said. "But what we wanted to do was really send a signal to the whole bulk of government and to industry that this is where we're going."

A tranche of deadlines – those 60 days out from the issuance of the order -- are looming. By July 11, agencies need to submit plans and milestones for implementing zero trust architecture and report on these efforts to the Office of Management and Budget and the deputy national security adviser for cybersecurity – a position currently held by Anne Neuberger.

Despite the aggressive deadlines included in the cyber order, guidance around zero trust has been drafted to provide agencies with some flexibility around their own implementation timeframes. Hartman said CISA and the White House were working to develop "many enduring plans with additional milestones" by the 90-day benchmark included in the executive order around zero trust. At that time, OMB is due to issue cloud security guidance to push agencies toward zero-trust architectures.

About the Author

Chris Riotta is a staff writer at FCW covering government procurement and technology policy. Chris joined FCW after covering U.S. politics for three years at The Independent. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president.

Featured

  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected