CISA Creating Zero-Trust Playbook for Government
Agencies may transition slowly to the new security principle.
The Cybersecurity and Infrastructure Security Agency may soon release an initial playbook for departments and agencies to follow while transitioning to a zero-trust cybersecurity architecture. The new guidance will be based on lessons learned from various pilot programs across the government.
Sean Connelly, the program manager for the Trusted Internet Connections (TIC) program at the agency commonly known as CISA reports that the agency has been collecting those lessons learned and will share them across the government possibly early next year. “One of the things we’re looking at is called the TIC playbook. That playbook will describe an operational example for others to learn from,” he says. The agency intends to publish a series of the playbooks over time.
Zero trust is a new cybersecurity model that ultimately will be adopted across the entire government. It essentially states that no user or device will be trusted to connect to a network until authenticated, and even then, they will be granted the least amount of access and privileges needed.
The TIC program was originally developed to assist in protecting modern information technology architectures and services. Zero trust is a critical piece of the TIC 3.0 core guidance documentation recently released by Connelly and his team. TIC 3.0 offers a fundamentally different approach to cybersecurity than its predecessors TIC 1.0 and TIC 2.0.
“Existing infrastructure and legacy systems are built on what’s called implicit trust. For the last 10 years, there was this … castle-and-moat philosophy where there’s a large boundary protection, and you had this security stack and firewalls and the different sensor devices. That was what the federal architecture has been for the last 10 years,” Connelly explains. “We’re now moving to more distributed architectures and more of a zero-trust philosophy. We’re trying to build trust explicitly throughout the different systems in the environment.”
The series of playbooks will add to the growing list of zero trust-related documentation from various government departments and agencies, including the White House, CISA, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget, which Connelly describes as “the team captain” on zero trust. This past summer, for example, CISA released its draft zero trust maturity model, inviting comment from government employees, academia, think tanks and others.
TIC 3.0 also offers agencies greater flexibility in implementing cybersecurity solutions. Connelly describes TIC 1.0 and TIC 2.0 as playing a more “prescriptive” role, meaning they prescribed precisely how government security architectures should be built. TIC 3.0, on the other hand, is more “descriptive,” meaning CISA is “describing the guidelines” or “the guardrails” that agencies should consider.
The zero trust maturity model is built on five pillars: identity, device, network/environment, application workload and data. Several functions or capabilities cut across those pillars. They are authentication, identity stores, risk assessment, visibility and analytics, automation and orchestration and governance. The maturity model also describes three stages of zero-trust migration—traditional, advanced and optimal.
The coronavirus pandemic and the resulting surge in telework for government and military employees accelerated the move toward more distributed networks and zero-trust architectures. Some organizations—including the Defense Department and intelligence community—started their zero-trust transitions relatively early.
For instance, the Defense Department, National Security Agency and Air Force all have released their zero trust reference architectures, Connelly notes. Defense Department officials tout the benefits of the Defense Information Systems Agency’s Thunderdome program. The department intends to implement a prototype of the zero-trust architecture in the coming months. The new architecture is expected to enhance security, reduce complexity and save costs while replacing the current defense-in-depth approach to network security.
Meanwhile, the Air Force also is implementing zero trust pilot programs. “Zero trust is really promising to improve user experience, the availability of our networks and systems, and simultaneously, it is going to strengthen our cybersecurity,” says Hunter Hodges, branch chief for Cyber Enterprise Engineering with the 16th Air Force’s 688th Cyberspace Wing.
Others are only beginning to explore zero trust. “We work with some agencies we consider to be model, exemplary agencies, that began this zero-trust journey sooner than others. We’re trying to distill those lessons learned in different documents and guidance, those playbooks if you will, to share those out across the federal communities,” he says.
A go-slow approach focused on small pilot programs involving fewer connections has definite advantages, Connelly indicates. “It may be easier to start with small pilot programs, distill lessons learned from that first, and then move out and use those lessons learned for the greater enterprise environment.”
He describes one “premier software company” that took seven years to complete the process with its internal systems. Given the nature of the government’s legacy systems, he notes, it is “going to take a number of years to migrate the majority of those systems over.”
Connelly touts the benefits of zero trust for securing networks used for critical infrastructure, such as transportation, banking and finance, the electrical grid and communications. Most of that critical infrastructure is owned by the private sector rather than the government, but CISA and other government entities work closely with those owners and operators to enhance security. “When it comes to our nation’s critical infrastructure, we know that in today’s environment, the cybersecurity landscape is constantly changing, so we’re dedicated to working with critical infrastructure owners and operators,” he says.
He also emphasizes the need to plan ahead. “We fully recognize that if we always just put out today’s fires we’ll never get ahead. We have to build out capacity within our partners and drive change in the long term,” Connelly offers. “If the last year has taught us anything, it’s that the threat landscape is only going to continue to evolve and become more complex. Whatever the threat of tomorrow is, we must begin preparing today and do it together.”
Government agencies face multiple challenges in transitioning to the new cybersecurity approach, including capability gaps in existing systems, cultural obstacles and a lack of properly trained personnel. This past summer, CISA officials used weekly security operations calls to poll more than 400 employees across all levels of government. “The majority of respondents identified zero trust as a top cybersecurity challenge. About 25 percent of participants indicated they are just beginning to develop their zero-trust plans,” Connelly reports. “One of the challenges facing agencies is that there are many gaps, holes if you will, in legacy systems when trying to apply a zero-trust mentality.”
Many legacy systems rely on the castle-and-moat approach known as implicit trust. They may need to be rebuilt or replaced to meet the new zero-trust tenets. “At the same time, not only is zero trust a technical exercise, but we recognize it’s going to be a cultural shift. It’s going to be a shift throughout the whole organization,” he says, adding that it will require discussions and coordination with infrastructure and operations teams, governance teams and executive leaders.
A shortage of personnel trained on zero trust is another hurdle. “There’s a talent gap right now that we’re trying to mitigate in many ways. There’s not a large pool of zero-trust technical experts on the government side. That’s also in industry,” he offers.
Companies are beginning to solve the training issue, though. “There are a number of zero-trust certifications that have started to arrive on the market. The vendor community is starting to collaborate in different ways to provide vendor-agnostic zero-trust principles and the tenets to be applied,” Connelly points out.
The recent SolarWinds cybersecurity breach may have resulted in a silver lining because it was covered by news publications, such as The Wall Street Journal, Forbes and Fortune, that cater to executive-level leaders, whom Connelly refers to as the “C-suite.” “It was very interesting to see how it was being discussed outside the operational security teams. I think there’s a recognition that there needs to be change in security on the operations side. There is a visibility at the C-suite level recognizing how zero trust might be able to help them. Zero trust is naturally coming in at the right time.”