The Cybersecurity and Infrastructure Security Agency (CISA) will unveil its secure-by-design guiding principles tomorrow, CISA Director Jen Easterly said during the Crowdstrike Government Summit in Washington, D.C., this week.
Easterly said on April 11 that the document is not the “Holy Grail” for product safety, but that CISA’s principles and approaches to secure-by-default are intended to start robust conversations “about the importance of shifting the burden to software companies from individual users and small businesses.”
The CISA leader said the document – which will be released by her agency on April 13 – was created in collaboration with government partners and several international partners.
Easterly’s announcement of the document comes on the heels of the Biden administration’s National Cybersecurity Strategy, which keys on a major theme of “rebalancing” the need to defend cyberspace by “shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks.”
In February, Easterly made the case for secure-by-design during a speech at Carnegie Mellon University, where she called for three “core principles” for technology manufacturers.
Easterly repeated those principles at Crowdstrike’s April 11 event: take ownership of security outcomes for customers; provide “radical transparency” to customers; and improve design quality in product by focusing on building safe products.
“The most important piece of [the sustainable approach to national security] is technology-product safety,” Easterly said on Tuesday.
“We now live in a world that is underpinned and driven by technology and software, and for years and years we’ve accepted software that is focused on speed to market, cool features, driving down the cost, but not on safety and security,” she continued, adding, “It’s incredibly important that we now focus on ensuring that the software that powers our lives is both secure-by-design and secure-by-default.”
“At the end of the day, we need to expect that software manufacturers are going to be driving down vulnerabilities before it gets to the consumer so you’re not putting all the burden on users and small businesses,” Easterly said.
“What I’m super excited about, is that on Thursday we’re going to put out our principles and approaches for security-by-design, security-by-default,” Easterly said. “We worked [on] that with our government partners and several of our international partners – and it’s not the Holy Grail – but it is really important data to start a robust conversation about the importance of shifting the burden to software companies from individual users and small businesses.”
CISA Unveils ZT Security Model 2.0
Also during the Crowdstrike Summit this week, Easterly showcased another big accomplishment: version two of the agency’s Zero Trust Maturity Model.
On April 11, CISA published an updated, second version of its Zero Trust Maturity Model that is guiding Federal agencies and other organizations along the path to adopting zero trust security architectures.
“We just put out an update to our Zero Trust Maturity model. We published the original version in 2021, and since that period of time we’ve been collecting feedback from our partners across the Federal agencies but also from industry partners,” Easterly said.
The CISA lead said that the new version “adds another level.”
The updated maturity model expands the range of maturity stages from three to four, by incorporating a new “initial” stage; the four stages now framed in the updated maturity model are: Traditional, Initial, Advanced, and Optimal.
“We found that it was too high a leap to go from traditional to advanced, so now we’ve got the initial stage” that serves as a roadmap for how agencies can actually implement steps across the five zero trust pillars, Easterly explained.
“It’s not, first of all, a magic solution … it’s a philosophy,” Easterly said of CISA’s updated document.
“The most important thing for anyone who’s starting off on this journey is to recognize that this is a journey, and it might take a while to get to what we call optimal zero trust architecture,” she said. “But you know the old saying ‘a journey of a thousand miles starts with one step,’ and now we’ve made the first step a little bit easier because we’ve gone from traditional to initial instead of traditional to advanced.”
Easterly continued, “Everybody’s on this journey, and we can all learn from each other so we can get to what looks optimal a lot faster.”
After speaking at the Crowdstrike event about the updated maturity model, Sean Connelly, Trusted Internet Connections (TIC) program manager and senior cybersecurity architect at CISA, told MeriTalk on Tuesday that the new version of the maturity model incorporates the value of 18 months of experience that CISA has gained in helping Federal civilian agencies begin their migration to zero trust security architectures.
The first version of the maturity mode, he said, “came out over a year and a half ago – that’s a long time.”
The updated version “reflects all the discussions we’ve had with agencies” both large and small “in terms of just talking to them about what challenges they have had,” he said.
One notable difference between the original maturity model and the update is that the first version tracked a “crawl, walk, run” progression for agencies termed as traditional, advanced, and optimal. Connelly said the updated maturity model includes another phase in that progress, so that it now tracks traditional, initial, advanced, and optimal zero trust architectures.
“There are just so many challenges or gaps, or just hurdles between that traditional and advanced stage that we shimmed in another stage … that really helps agencies understand” how to traverse the gap between the traditional and initial stages of progress, he said.
