Tag Archives: zero trust

Zero Trust Passes Key Milestone

Posted on by

In January 2022, the Zero Trust Federal Strategy set a deadline of September 30, 2024, for agencies to adopt some level of zero trust architecture. Based on early indications, agencies have largely met zero-trust goals. The Federal CIO reported in early September that the 24 CFO Act agencies were all over 90% of the way to meeting the zero-trust goals. Beyond that group, the federal government as a whole was at 87% goal completion.

What's Changed?

The shift to zero trust is a response to the way government and citizens are using technology. With the increased use of cloud-based solutions, the traditional "castle and moat" security that protected on-premise infrastructure no longer supports the way applications are being deployed. Zero Trust focuses on continually verifying that users have permission to access the data and systems they are using. Gaining access requires coordination among a number of technologies that all work with a common set of user identification and access policies. Continue reading

The Changing Identity of Identity Management

Posted on by

A key element of the move to zero trust is the use of "strong multi-factor authentication (MFA) throughout their enterprise." While identity management has been indicated by many as the "low hanging fruit" of a zero-trust journey, it is by no means easy. In fact, recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) called it "notoriously difficult."

Key challenges to implementing MFA include:

  • Lack of standards - the CISA/NSA guidance pointed to confusion over MFA terminology and vague policy instructions as primary challenges to implementing more secure access. A joint committee of European Union (EU) and U.S. experts addressed this same issue in the Digital Identity Mapping Exercise Report, which aimed to define specific digital identity technical terminology. For example, the group found some definitions, such as "authoritative source" and "authentication factor," are identical between the U.S. and EU, whereas others, like "identity" and "signature," remain only partially matched.
  • Phishing - bad actors do not always hack the system; they hack the process, gaining entry through social-engineering tactics that grow more sophisticated by the day. The CISA/NSA report called on the vendor community to provide MFA services with additional investments and greater defenses against sophisticated attacks.
  • Rise of Generative AI - The Department of Homeland Security (DHS) is working to ensure technologies can determine if a submitted image is legitimate or a hacker's spoof. This "liveness detection" is needed to ensure that a submitted selfie is really a photo of a person, not a mask, photo of a photo, or other technique to try to get past the check.

Continue reading

FITARA Goes to the Cloud, Grades Come Down to the Ground

Posted on by

The 17th edition of the Federal Information Technology Acquisition Reform Act (FITARA) scorecard featured a revamped list of measurements to illustrate federal agency progress against current modernization goals. This latest scorecard introduced two new categories - Cloud Computing and CIO Investment Evaluation - while dropping the measurement of compliance with data center modernization, something all agencies have completed.

This reshuffling of measurement criteria resulted in lower grades for 11 agencies. Twelve agencies saw their grades unchanged. The Department of Defense (DoD) was the sole group earning a higher grade, rising from a C to a B. These drops are not necessarily a concerning indicator, but rather a re-baselining of where agencies stand in terms of modern digital government goals. Continue reading

National Cybersecurity Strategy: Building a More Secure Future

Posted on by

In March, the Biden Administration released the latest guidance aimed at improving the cybersecurity practices of Federal agencies. The National Cybersecurity Strategy builds on the Executive Order for Improving the Nation's Cybersecurity that makes cybersecurity a strategic focus of every agency. This latest guidance drills further into the actions needed to ensure that government systems and citizen data are protected against the ever-evolving threat landscape.

The goal of the strategy is to "rebalance the responsibility to defend cyberspace" and "realign incentives to favor long-term investments." To do this, the responsibility for cybersecurity must be shifted to the organizations that are most capable and best-positioned to reduce risks. It points out that, "a single person's momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences." While security is the responsibility of everyone, small businesses, small localities, and individuals simply do not have the resources to support the security needed to protect systems and data. Instead, the guidance proposes new incentives to favor long-term investments in security, resilience, and new technologies. Continue reading

Understanding Barriers to Zero Trust

Posted on by

Two years following the "Cyber EO" naming zero trust as the security architecture of the future and after one year of implementing the Federal Zero Trust Strategy, federal agencies have made important progress predicting and identifying roadblocks. With the first major deadlines coming at the end of 2023, this year is critical for figuring out how to overcome identified barriers.

Resource Issues

A survey found that 35% of federal CIOs say they have "intermediate or advanced" zero trust capabilities in place, but there are concerns about having the right resources and funding to fully meet administration mandates. Nine in 10 respondents agreed a key step is having a zero trust assessment performed by an outside resource to identify gaps and key focus areas, but contracting and finding funding for this effort is difficult. With this assessment, existing resources can be assigned to the most critical and impactful areas, and the need for additional funding and resources can be prioritized. Funding specifically earmarked for zero trust will be in FY24 budgets. This funding is determined by aligning the work and tools needed across each capability area. Continue reading