In May of this year, the Biden Administration released an executive order focusing on cybersecurity that mandated government agencies put a zero trust plan on paper within 60 days. This executive order certainly made headlines within and around the Beltway, but the zero trust recommendation is not new – even in the public sector.
In fact, multiple zero trust recommendations, documents, and frameworks have been issued across the government even before the executive order. What separates these disparate documents, and which one should government agencies follow as they implement a zero trust architecture within their IT organization?
To answer these questions, we recently sat down with Don Maclean, the Chief Cyber Security Technologist at DLT and a government cybersecurity veteran. During our discussion, we asked Don if zero trust is the cybersecurity silver bullet people seem to believe it is. We also asked him which zero trust recommendation, guidance, or framework makes sense for an agency looking to secure their networks in the face of increasingly common and sophisticated ransomware attacks.
Here is what he told us:
GovCyberHub (GCH): Zero trust is often portrayed as a silver bullet approach to cybersecurity that can solve many of the data and network security challenges facing agencies. Is this necessarily the case? Before we start to look at different frameworks and guidance, can we discuss what zero trust does and doesn’t do?
Don Maclean: One of the oldest sayings in cybersecurity is that there is no silver bullet. However, with the recent state of attacks and the uptick in ransomware attacks against our critical infrastructure, it’s obvious that what we’re doing isn’t working and we need a new approach.
What zero trust doesn’t provide a silver bullet, but it gives agencies a chance to reevaluate their security programs and rethink their security organizations from the ground up. It also acknowledges that the chance of being breached is about 100 percent and agencies need to take security measures according to that reality.
“They also must understand and overcome the significant human element and barriers to zero trust.” – Don Maclean
The bad part is that agencies now have to take all of these different documents, frameworks, and maturity models from across the government and attempt to turn them into reality.
They also must understand and overcome the significant human element and barriers to zero trust. There are mindset changes and organizational changes necessary to embrace zero trust. For example, some organizations have gotten rid of their firewall – a huge change for a security organization.
“While zero trust allows agencies to reimagine security from the ground up, that will involve a large amount of change” – Don Maclean
If you’re changing your capabilities and embracing new technologies, there are training issues involved. There are issues with contracts. There are people that are scared that – if technologies are taken out or replaced – that they’ll lose their jobs or they’ll have their role reduced.
So, while zero trust allows agencies to reimagine security from the ground up, that will involve a large amount of change. And government agencies can be large, bureaucratic organizations that change slowly.
GCH: You mentioned different guidance, different frameworks, and different zero trust recommendation documents across the government. I understand that there have been zero trust recommendations from a number of agencies – including NIST, the DoD, and the NSA. How are these all different?
Don Maclean: In short, all roads lead back to NIST. The HHS recommendations, the DoD recommendations, the NSA recommendations: all of them at least reference the NIST documentation in some regard as a foundation.
“What I really like about the NIST document is that while it lays out a clear approach to zero trust architecture” – Don Maclean
So, if anyone in the public sector is looking to wrap their heads around a zero trust recommendation and what it entails, the NIST document is the first place to start. It lays the groundwork for a lot of the other recommendations and documents.
What I really like about the NIST document is that while it lays out a clear approach to zero trust architecture, it also ties the approach back to all of their recent and significant documents, recommendations, and frameworks around cybersecurity – including their Risk Management Framework (RMF).
The DoD has recently published its zero trust recommendations and, as I said, it is very much in line with the NIST document, but much longer: about 170 pages. In those extra pages, it lays out the principles of zero trust and incorporates specifics missing from the other frameworks and documents. For example, it establishes how to adopt zero trust architectures. It explains the operational capabilities that are associated with zero trust. It also establishes a maturity model with milestones for zero trust programs which is applicable across the government.
“I do really like the DoD document because it explains the principles of zero trust, recommends specific technologies, and gives agencies an approach for executing a zero trust program” – Don Maclean
An agency’s choice of a zero trust model depends on how they want to approach it. They can align their program to the phases of the risk management framework, or to the maturity model approach in the DoD document. Either way works.
However, I do really like the DoD document because it explains the principles of zero trust, recommends specific technologies, and gives agencies an approach for executing a zero trust program. It also provides a seven pillar framework for the basic elements of zero trust.
GCH: Are the frameworks, recommendations, and documents from organizations like the NSA or DoD any more stringent than the others, considering the sensitive nature of the data that they store and manage?
Don Maclean: Not really because the whole idea is to create a safe environment regardless of the threat level or risk profile.
The NSA document is only about seven pages long and they paint zero trust with very broad strokes. Like DoD, NSA provides a maturity model for approaching zero trust and getting started.
“It really shouldn’t be a surprise that the zero trust documents and frameworks are all similar and that the NSA document is no more stringent than the others.” – Don Maclean
What’s interesting about the NSA document is that – although they can’t mandate the approach – they strongly recommend zero trust in DoD, federal civilian, and the intelligence community. They even go beyond that and recommend that contractors and the defense industrial base (DIB) use zero trust.
However, I wouldn’t say that it’s any more strict or stringent than the other zero trust documents that exist across the government, even with it came from the intelligence community. The DoD and civilian agencies, like NSA, manage plenty of top-secret data.
Since they all have very sensitive, secret data, it really shouldn’t be a surprise that the zero trust documents and frameworks are all similar and that the NSA document is no more stringent than the others. However, it is the only document that recommends that everyone – including the private sector and DIB – embrace zero trust.
GCH: We’ve established that many of these documents, recommendations, and frameworks are similar. But what do they actually contain?
Don Maclean: I looked at all of these frameworks and documents across the government: the DoD document, the NIST document, the NSA recommendations, the HHS program – and those in the private sector – the Forrester ZTX and Google’s Beyond Corp zero trust program. When I got through the verbiage and the bureaucratic language, I realized they all espouse many of the same essential principles. They all say, “don’t count on your perimeter to safeguard your network. There is no ‘inside’ and ‘outside’ of your network, and you’re not safe inside. Assume that you have been breached or will be soon, so be ready. And constantly validate and authenticate all entities, not just humans, devices, etc.”
“Although zero trust is a comprehensive approach to security, from the standpoint of national security, it is part of an even bigger picture.” – Don Maclean
They might use different terminology and they might lay it out all different ways, but under the hood, they are remarkably consistent in their approach. They all also recognize that there is both a technology element to zero trust, as well as a mindset and cultural change that’s necessary.
We also saw the recent executive order from the Biden Administration. That document’s zero trust recommendation is in the context of securing the supply chain. So, although zero trust is a comprehensive approach to security, from the standpoint of national security, it is part of an even bigger picture.
GCH: It sounds as though multiple of these documents have maturity models. Which should an agency choose? Why choose one over the other?
Don Maclean: The DoD document associates specific controls and technologies with zero trust categories. So, it’s a little more concrete than the others. The DoD document gives more concrete guidance about where different technologies fit into the different pillars of zero trust. It doesn’t recommend specific products, but it does give guidance on the different technologies and how they contribute to a zero trust architecture.
For broad, contextual guidance, NIST is incredibly valuable. For more concrete steps for how to get started in terms of technology implementations, I would look to the DoD document.
“To make an informed decision, I would encourage agencies to look at real world implementations and learn from them.” – Don Maclean
Agencies need to choose a maturity model approach. They can take the DoD maturity model or NSA maturity model approach – or they can do something a little different and align their approach to the NIST risk management framework. All of those approaches work.
To make an informed decision, I would encourage agencies to look at real world implementations and learn from them. Research the Forrester maturity model. Research the Google Beyond Corp Program and use those real work resources to help decide.
GCH: Do any of these recommendations and documents mandate zero trust? If not, what can help make zero trust a reality across the government?
Don Maclean: None of these documents have mandated anything, although the DoD document might be considered a bit of a mandate within the DoD. The recent executive order from the Biden Administration is as close to a mandate as we’ve seen so far.
“It will take a mandate from the people that control the purse strings to make this more than a paperwork exercise.” – Don Maclean
The executive order mandates a zero trust plan and consequently lays the groundwork for implementation. The executive order was published on May 12, and that mandate required that plans be established within 60 days, so – presumably – those documents are done now.
The good thing about executive orders is that they come from the White House and therefore carry some weight. The bad thing is that they don’t come with money. The budgets aren’t there and zero trust isn’t cheap. So, it’s going to take more than just an executive order.
There were executive orders about cybersecurity from previous administrations, but they mostly generated documentation rather than concrete improvements in security. It will take a mandate from the people that control the purse strings to make this more than a paperwork exercise.
I’m confident that it will happen; there have been enough attacks lately that could trigger them to take action. We’ll have to wait and see.
For additional information about implementing a zero trust architecture in your agency, click HERE.