Federal agencies are showing urgency and pushing hard to meet challenging zero trust security implementation deadlines following rollout of the Office of Management and Budget’s (OMB) zero trust strategy in January, government and industry experts agreed during a March 15 webinar hosted by MeriTalk and Merlin Cyber.
The March 15 webinar – the second in a four-part webinar series discussing Federal zero trust security pillars and research findings from MeriTalk and Merlin Cyber – keyed in on the sentiments of the 150 Federal cybersecurity executives, and the device pillar of the Zero Trust Maturity Model released by the Cybersecurity and Infrastructure Security Agency (CISA) last year.
Central to the research findings are that 73 percent of Federal cybersecurity decision-makers say their agencies are aggressively adopting zero trust security principles, and nine out of 10 believe that Federal policy directives for zero trust adoption are useful for the shift. But at the same time, 87 percent think those policy directives are pushing agencies too quickly to achieve effective zero trust implementation.
“I agree with a lot of the initial results we have here,” said Richard Grabowski, Acting Program Manager of CISA’s Continuous Diagnostics and Mitigation (CDM) Program, whose program dovetails tightly with endpoint detection and response (EDR) mandates under the Biden administration’s cybersecurity executive order (EO) and related zero trust policy.
“I do think a lot is being asked of agencies, especially during the current landscape,” he said. “There are a lot of threats out there, geopolitical things going on, there’s Log4j, and there are a lot of mandates and other initiatives … it seems to be a lot on agencies right now.”
Speaking to the research findings that 87 percent of respondents feel that policy directives are pushing them too quickly toward zero trust implementation, Grabowski said, “I kind of hear that first-hand” from agencies.
At the same time, “a lot of positive conversations are zero trust are happening, I think there’s a full embrace, and rightfully so,” he said. “Agencies have this really positive thirst for zero trust knowledge,” Grabowski continued. “They are looking for actionable guidance, they are looking for standards, they are having the right conversations.”
“Honestly, I’ve been encouraged by the last five years because the conversations have pivoted from being acquisition and procurement-focused first, to much more measured, deliberative, and conversational and learning-first planning” for security investments, he said.
“Recently with the EO I’ve seen a lot of agencies also take advantage of simultaneous, parallel efforts that are in the EO, and using available resources and top-cover for things like EDR that relate to the EO, and making actionable steps there as well,” the CDM program manager said.
Bryan Ware, president of emerging technology consulting firm Next5, and formerly assistant director for cybersecurity at CISA, agreed during the webinar with Grabowski’s assessment of the survey results, and the conflict between agency decision makers who feel urgency in implementing zero trust, while at the same time feeling they are being pushed too quickly toward that goal.
He suggested that a better mindset would be to realize the very long-term nature of implementing and sustaining zero trust security architectures.
“The construct of talking about pillars kind of sets us up to think that you build a pillar, and then you’re done, and you have five pillars, and they’re built, and then you’re done,” Ware said. “But in reality, we all know that we’re never going to be done,” he said. “I think that’s part of it … the frustration, because everything is constantly moving,”
“The zero strategy at the end of the day is a strategy really for continuous improvement and continuous experimentation, and continuous adaptation, and continuous analytics to identify the new things that we’re going to have to do,” he said. “It’s not just a procurement-oriented strategy where we’re going procure and deploy this thing, and then we’ll move from one pillar to our next pillar.”
Miguel Sian, Vice President of Technology at Merlin Cyber, a provider of cybersecurity software and technologies, said during the webinar that the research shows “very positive indicators within government with regard to zero trust and getting to critical mass of understanding what it means to implement through trust security.”
“I think there’s a critical mass now … of recognizing the practical benefits of shoring up my cybersecurity posture and my cyber defenses by improving zero trust,” he said.
Referring to OMB zero trust strategy for Federal agencies issued in January, Sian said that policy document has “really crystallized for government agencies what the objectives are over the next two fiscal years and fiscal year 2024.”
“There are also some very good signals that I’m getting being at the intersection point of technology providers and our government customers,” Sian said, that reflect “good partnership that’s happening in collaboration with regard to the tooling that’s being provided to agencies.”
“We’re seeing a lot more positive momentum on gap filling with respect to CDM and leveraging the tools that are available to agencies to improve their visibility, improve device security, and improved privileged access,” he said. “So overall, positive sentiment with collaboration along with a critical mass of understanding of the zero trust benefits and practical implications of what that means for the agencies.”
For the whole story, please access a replay of the complimentary webinar.