Expanding CISA’s Zero Trust Role Is Smart: Here’s Why

Picture this: The president is poised to deploy U.S. military forces to respond to a future geopolitical crisis. Suddenly an authoritarian state covertly targets the operations of Federal Civilian Executive Branch (FCEB) agencies with disruptive cyber threats. The attack holds a few missions and essential services as digital hostages and signals the potential to do even worse in an escalating crisis: It’s a bid to panic U.S. leaders and the American public and deter the nation from acting in the interest of national security. Now the president’s decisions on the crisis are harder to make due to the vulnerability of data, devices, and systems at civil government agencies. This potential scenario illustrates the urgency of strengthening federal cybersecurity today.

To get ahead of such threats, the Biden administration is implementing zero trust across the federal enterprise. In this whole-of-government effort, roles can grow over time: Zero trust isn’t a zero-sum game. Now the nation needs the Cybersecurity and Infrastructure Security Agency (CISA) to assume a more visible, practical role helping civilian government agencies with zero trust architecture (ZTA) implementation. Enhancing CISA’s zero trust role this way is one of the recommendations to CISA and Congress in a new independent report published by the Center for Strategic and International Studies (CSIS). The study, which Booz Allen sponsored, serves the public interest: It reviews the current cyber services offered to the FCEB agencies as well as the current and future state of the threat landscape. It also recommends other services that CISA could offer FCEBs for stronger protection.

Civilian agencies have a diverse range of missions, separate budget plans, and unique IT modernization efforts, but they share a requirement to meet specific zero trust goals by the end of fiscal year 2024. CISA has made significant contributions to this effort, including the release this year of an updated Zero Trust Maturity Model. Also, CISA is in the early stages of developing a related technical annex for operational technology (OT). In addition, CISA is exploring the development of new zero trust metrics and measures to augment existing Federal Information Security Modernization Act (FISMA) metrics and assessing how its Continuous Diagnostics and Mitigation (CDM) program could enable automated reporting.

With further tasking and resources, CISA could supply more help to address three major challenges that impede FCEB ZTA implementation:

1. Agencies need to assess the current state of their zero trust maturity. Right now, most FCEB agencies have given CISA rudimentary zero trust assessments that aren’t well structured and evoke “check the box” compliance.
2. Agencies need to implement zero trust. CISA has issued several pieces of guidance: These do not dictate a single approach—and that’s fine. CISA should revise its guidance on CDM capability requirements to reflect orchestration and automation objectives, such as conditional access. It should also share those requirements with industry so that original equipment manufacturers (OEM) can demonstrate how their products enable those requirements.
3. Agencies need to carry out continuous monitoring and reporting. All 93 agencies with a CDM Memorandum of Agreement (MOA) have deployed the CDM Dashboard and are feeding data to CISA. However, there is still further work to do to expand monitoring to more aspects of the enterprise.

So, what would CISA’s enhanced role look like? For starters, here are some ideas:

• CISA could have a team of zero trust experts engaged with FCEB agencies to supply recommendations on architecture and implementation approaches.

• What’s more, CISA could work with the Department of Defense (DOD) to see how they are implementing zero trust via the Thunderdome effort. It could also schedule technology exchanges that complement CISA’s ongoing high-level engagement with DOD’s chief information officer (CIO).

• CISA could expand on nascent efforts to develop specific metrics and measures for zero trust that could be reported in an automated fashion using the CDM Dashboard Ecosystem.

The ZTA recommendation is just one of many pieces of actionable advice in the CSIS report. Another recommendation urges Congress to ensure consistent, coherent, and flexible funding streams for initiatives like the CDM program. CDM helps civilian agencies strengthen their management of assets, user access controls, network security, and data protection, and it enables CISA to respond to cyber threats in a coordinated, accelerated way. Also, the report calls for a study of whether to (and how to) centralize ownership of FCEB networks: By addressing key issues and questions like these, the nation can ensure the federal government is well positioned to build cybersecurity and resilience at scale.