The Federal government’s march toward zero trust security architectures is well underway with guidance documents from several agencies. And while that guidance is crucial, Federal agencies cannot confine themselves only to the practices described in them, Federal experts said during an ATARC event on August 9.
Zero trust guidance documents already in the hands of agencies include the Federal Zero Trust Strategy drafted by the Office of Management and Budget, the Zero Trust Maturity Model drafted by the Cybersecurity and Infrastructure Security Agency (CISA), and the Cloud Security Technical Reference Architecture also drafted by CISA, and they provide agencies with roadmaps and resources for their security migration.
The guidance documents may present directional challenges for some agencies, said Karim Said, chief information security officer for the Office of Headquarters Services and the Office of Strategic Infrastructure at NASA. They “need to be seen as thematic and not ‘to-do’ lists” so as not to “divert on-going zero trust efforts already in place,” he said.
“The real challenge is in realizing as an enterprise that these concepts are thematic,” Said offered. “We can’t get spun up about every single new thing that comes out. We must stay the course with those bread-and-butter practices that we should have been doing all along. And that bridges everything from the way we architect our networks, to the way we manage our identities, to the way we handle device inventory, management, and more,” he said.
Stephen Haselhorst, the zero trust lead at the Office of the CIO and chief privacy officer for the Federal Deposit Insurance Corporation, explained that the zero trust guidance helps to “validate our efforts and sell the idea of zero trust to non-believers.” Agreeing with Said, Haselhorst explained that the guidance documents cannot function like checklists.
“I always talk to people and tell them to not see this guidance as the end game,” Haselhorst said. “Don’t see it as a checklist. Don’t confine yourself to that. Utilize the guidance as an aspiring starting point and validate the strategy that you’re working towards,” he said.
Conrad Bovell, director for the Division of Information System Security at the Centers for Medicare and Medicaid Services at the Department of Health and Human Services, added that because both security practices and zero trust principles will continue to evolve, the Federal agency guidance documents also should be used to evaluate security models and implement necessary changes.