With its new National Cybersecurity Strategy, the Biden administration is doubling down on moving the Federal government to a zero trust security architecture, following last year’s mandate to set specific zero trust goals by the end of fiscal year 2024.
“There is definitely a large and clear call from the White House, from the National Cyber director, ONCD, from OMB, about the importance of zero trust adoption across the Federal agencies,” said Cybersecurity and Infrastructure Security Agency (CISA) Senior Cybersecurity Architect Sean Connelly today during a zero trust webinar hosted by MeriTalk.
“You can go to the recently released Cybersecurity Strategy, lean back in the Cyber Executive Order from two years ago, to OMB’s Federal Zero Trust Strategy – a lot of different ways that executive leadership is having agencies have these discussions in new ways,” Connelly explained.
Mike Nelson, the VP of digital trust at DigiCert said during MeriTalk’s “Zero Trust: The Next Federal Frontier” webinar that when government flexes its purchasing power, companies begin to put better and more secure products on the market.
“I love it when the government uses its purchasing power because it really is the biggest purchaser in a lot of industries,” Nelson said. “So, when the government says this is the mandate, the industry follows.”
“I believe that this is driving across industries – organizations – to actually start really taking zero trust and good security architecture seriously,” Nelson added.
Andy Stewart, Cisco’s national security and government senior strategist for cybersecurity, said that with the new National Cybersecurity Strategy, he’s seen a harmonization of all the recent government documents driving change for a better governmentwide cyber posture.
“One thing the strategy does call out is that the government should be a model for the other sectors,” Stewart said. “The Federal government saying that they’re going to be the model and have that flow down to state and local governments is actually a pretty important part of the strategy. And they recognize how that harmonizes with other directives.”
The Biden administration’s National Cybersecurity Strategy that came out in March of this year says that the United States will aim to increase cyber resilience through a variety of means, including developing a diverse and robust national cyber workforce.
This will be a hard thing to implement, said Brandon DeVault, a senior security author at Pluralsight. He argued that companies must develop a continuous learning culture to ensure that cyber training is up to date.
“When you get into security, you have a human on the other end and there’s no simple checklist for how to defend against the human. And so that training becomes a lot more complicated, especially as the adversaries get more and more advanced,” DeVault said.
“You have to be able to adapt to these new cyber threats as they evolve, and that means having training that’s up to date and keeps the learners engaged so that they’re able to apply those recent threats into their constant day-to-day,” he said.
CISA provides training resources for both government and private-sector partners, and Connelly said that the agency is actively having discussions throughout the government to understand what some of the barriers are to continuous cyber training and zero trust adoption in general.
“We’ve had a number of training cohorts working with agencies to help agencies to begin to understand what it means for zero trust, for themselves,” Connelly said. “We are trying to scale these types of discussions to be much larger.”
The White House is expected to release an implementation plan for its National Cybersecurity Strategy this summer, noting that that document will have specific calls to action for the different Federal agencies.
Concluding the panel of cyber experts, DigiCert’s Nelson said, “The timing for it is now. Connectivity is not decreasing, and the need for these systems to be secure is so important.”