Picture this: The president is poised to deploy U.S. military forces to respond to a future geopolitical crisis. Suddenly an authoritarian state covertly targets the operations of Federal Civilian Executive Branch (FCEB) agencies with disruptive cyber threats. The attack holds a few missions and essential services as digital hostages and signals the potential to do even worse in an escalating crisis: It’s a bid to panic U.S. leaders and the American public and deter the nation from acting in the interest of national security. Now the president’s decisions on the crisis are harder to make due to the vulnerability of data, devices, and systems at civil government agencies. This potential scenario illustrates the urgency of strengthening federal cybersecurity today.
To get ahead of such threats, the Biden administration is implementing zero trust across the federal enterprise. In this whole-of-government effort, roles can grow over time: Zero trust isn’t a zero-sum game. Now the nation needs the Cybersecurity and Infrastructure Security Agency (CISA) to assume a more visible, practical role helping civilian government agencies with zero trust architecture (ZTA) implementation. Enhancing CISA’s zero trust role this way is one of the recommendations to CISA and Congress in a new independent report published by the Center for Strategic and International Studies (CSIS). The study, which Booz Allen sponsored, serves the public interest: It reviews the current cyber services offered to the FCEB agencies as well as the current and future state of the threat landscape. It also recommends other services that CISA could offer FCEBs for stronger protection.
Civilian agencies have a diverse range of missions, separate budget plans, and unique IT modernization efforts, but they share a requirement to meet specific zero trust goals by the end of fiscal year 2024. CISA has made significant contributions to this effort, including the release this year of an updated Zero Trust Maturity Model. Also, CISA is in the early stages of developing a related technical annex for operational technology (OT). In addition, CISA is exploring the development of new zero trust metrics and measures to augment existing Federal Information Security Modernization Act (FISMA) metrics and assessing how its Continuous Diagnostics and Mitigation (CDM) program could enable automated reporting.