Governance & Risk Management , Government , Industry Specific
CISA Preparing to Assess Federal Zero Trust Progress
US Cyber Defense Agency Plans to Review Updated Implementation Plans in NovemberThe top U.S. cyber defense agency is accelerating efforts to collaborate across the federal government and deliver concrete progress on implementing zero trust architectures ahead of a critical November deadline, a senior official said Thursday.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Agencies had until Sept. 30 to move away from perimeter-based defenses under an Office of Management and Budget memorandum. They must submit updated zero trust architecture implementation plans next month outlining how they will meet key security objectives including eliminating implicit trust, securing critical assets and continuously verifying users and devices in real time. Officials previously said agencies were on track to achieve significant zero trust milestones (see: Federal CIO Says Agencies on Track for Zero Trust Milestones).
As agencies prepare to submit their updated zero trust implementation plans, the Cybersecurity and Infrastructure Security Agency is coordinating with OMB and stakeholders to ensure a thorough review of the forthcoming qualitative data, according to Brandy Sanchez, CISA’s zero trust initiative lead.
"The goal is not to put somebody in a box and beat them with a stick," Sanchez said at a zero trust summit hosted by the Advanced Technology Academic Research Center in Reston, Virginia. "You're not going to get any progress that way."
Sanchez said CISA and OMB will use more than two years of data - agencies were last required to submit zero trust implementation plans in early 2022 - to pinpoint funding shortfalls, enhance critical support and strengthen technical assistance for zero trust adoption across the federal government. CISA will also assess how agencies are "testing the effectiveness" of their zero trust frameworks, Sanchez said, such as using penetration testing in simulated attack scenarios and MITRE ATT&CK evaluations, which measure defenses against known cyberattack techniques.
Federal CIO Clare Martorana said in September that agencies "are all in the high 90% range" towards achieving the federal strategy goals, but she noted earlier at the Billington Cybersecurity Summit that consistent funding is a critical challenge for sustaining zero trust efforts and enabling agencies to implement and maintain robust ZTAs amid shifting budget priorities and resource constraints.
"It is a continued journey that the government is going to undergo for many years," Martorana said. "But I can see real progress."
In November, Sanchez said CISA will meet with agencies to assess funding gaps and discuss alternatives, from shared services to the Technology Modernization Fund, as well as potential partnerships with private sector entities and leveraging innovative technologies to enhance zero trust implementations across the federal landscape.
"The real metric here is that if we're doing the right things, if we're putting the right measures into place, that we're going to start seeing a reduction of those cybersecurity events and the severity across the federal enterprise," Sanchez added.