Governance & Risk Management , Government , Industry Specific

CISA Preparing to Assess Federal Zero Trust Progress

US Cyber Defense Agency Plans to Review Updated Implementation Plans in November
CISA Preparing to Assess Federal Zero Trust Progress
U.S. federal agencies last submitted zero trust implementation plans in early 2022. (Image: Shutterstock)

The top U.S. cyber defense agency is accelerating efforts to collaborate across the federal government and deliver concrete progress on implementing zero trust architectures ahead of a critical November deadline, a senior official said Thursday.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

Agencies had until Sept. 30 to move away from perimeter-based defenses under an Office of Management and Budget memorandum. They must submit updated zero trust architecture implementation plans next month outlining how they will meet key security objectives including eliminating implicit trust, securing critical assets and continuously verifying users and devices in real time. Officials previously said agencies were on track to achieve significant zero trust milestones (see: Federal CIO Says Agencies on Track for Zero Trust Milestones).

As agencies prepare to submit their updated zero trust implementation plans, the Cybersecurity and Infrastructure Security Agency is coordinating with OMB and stakeholders to ensure a thorough review of the forthcoming qualitative data, according to Brandy Sanchez, CISA’s zero trust initiative lead.

"The goal is not to put somebody in a box and beat them with a stick," Sanchez said at a zero trust summit hosted by the Advanced Technology Academic Research Center in Reston, Virginia. "You're not going to get any progress that way."

Sanchez said CISA and OMB will use more than two years of data - agencies were last required to submit zero trust implementation plans in early 2022 - to pinpoint funding shortfalls, enhance critical support and strengthen technical assistance for zero trust adoption across the federal government. CISA will also assess how agencies are "testing the effectiveness" of their zero trust frameworks, Sanchez said, such as using penetration testing in simulated attack scenarios and MITRE ATT&CK evaluations, which measure defenses against known cyberattack techniques.

Federal CIO Clare Martorana said in September that agencies "are all in the high 90% range" towards achieving the federal strategy goals, but she noted earlier at the Billington Cybersecurity Summit that consistent funding is a critical challenge for sustaining zero trust efforts and enabling agencies to implement and maintain robust ZTAs amid shifting budget priorities and resource constraints.

"It is a continued journey that the government is going to undergo for many years," Martorana said. "But I can see real progress."

In November, Sanchez said CISA will meet with agencies to assess funding gaps and discuss alternatives, from shared services to the Technology Modernization Fund, as well as potential partnerships with private sector entities and leveraging innovative technologies to enhance zero trust implementations across the federal landscape.

"The real metric here is that if we're doing the right things, if we're putting the right measures into place, that we're going to start seeing a reduction of those cybersecurity events and the severity across the federal enterprise," Sanchez added.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.