As Federal agencies are working to make progress on President Biden’s cybersecurity executive order (EO) and implement zero trust security architectures, agencies and their leaders must have a tight handle on their zero trust implementation plans, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said.
Judy Baltensperger, who is a program manager for CISA’s Continuous Diagnostics and Mitigation (CDM) Program, said that the disparate nature of Federal civilian agencies’ size and scope of work makes the implementation plans a crucial guiding light.
Baltensperger talked about the state of zero trust implementation during the fourth and final webinar of MeriTalk’s 2022 Zero Trust Maturity series, “Zeroing in on Application and Data” on June 1, sponsored by Merlin Cyber.
“All of their implementation plans, they’re all going to differ,” Baltensperger said. “And it really has to do with where they are in their maturity level. The agencies that we have vary in size are from the very, very large [Department of] Veterans Affairs with two million assets, all the way down to very small and micro agencies. Literally, they have less assets than you probably have in your own home.”
“Because the size is so vast and the maturity level across those is so vast, we have found that all of them are in different places,” she added.
“We need the agencies to understand their implementation plans,” Baltensperger said. “Where are they with their current capabilities? What zero trust concepts can they implement with those current capabilities? And then where are there gaps?”
Baltensperger also emphasized the importance that data plays in the zero trust architecture as one of the maturity model’s pillars.
“At the end of the day, zero trust is about the data, looking at where that data is, and the users that access the applications to get to those data,” Baltensperger said. “Along the way, there are challenges with interoperability – API’s (Application Programming Interface), proprietary API’s,” she said.
Seth Spergel, managing partner for Merlin Ventures, agreed on the importance of data but said he is seeing a lag in maturity compared to some of the other zero trust pillars.
“If we look at things from the perspective of CDM – the way that [program] was set up initially – data was one of the leaders,” Spergel said. “And while that structure has changed a bit, I think data is still lagging a bit in terms of maturity, while things like asset visibility, equity, protection, identity, access, management, and management have been much stronger.”
However, Spergel said he thinks that the recent creation of more data-oriented Federal agency positions and trends in the industry have pushed data practices forward.
“I think we do seem to be at a tipping point now, [with] the assignment of data officers, across agencies,” Spergel said. “And I think if we look at where the industry is going as well, we’re seeing startups now that focus on things like cloud data security and how that requires different types of protection.”
As far as how Federal agencies should proceed with their zero trust implementation and whether they should look at it pillar-by-pillar or more holistically, Baltensperger said that because the CDM dashboard exists in many different hosting environments, CISA is looking at it from a more holistic view.
“The challenge we’re running into is that once we understand where the data is, we’re now trying to map what are all the different mechanisms in which you access the data,” Baltensperger said. “And then once you are authorized and the access controls are continuously monitored, we’re finding the different agencies have different identity capabilities.”
“That disparity in maturity level means that we have to look at it more holistically, but I could see an agency if they were going down this path [what] they might want to do is actually choose one single business process or application workflow to get to a certain piece of data and map it out completely,” she said.
To hear the whole conversation, register to watch the final webinar for MeriTalk’s 2022 Zero Trust Maturity series, “Zeroing in on Application and Data” on-demand.