CISA Zero-trust Maturity Model – Takeaways from the White House OMB Memo
The White House, along with CISA, is taking action to improve security models. In particular, there have been initiatives by the White House to move toward zero-trust maturity models, enhance perimeter-based security, and alleviate threats introduced by cloud-based and hybrid solutions. Both private and public sector organizations can benefit from a thorough understanding of the takeaways of the White House’s newest OMB memo—especially Federal contractors who may find themselves under these new standards.
The White House OMB Memo and White House Cybersecurity Executive Order
Over the last few years, the Federal government has made great strides in cybersecurity initiatives. In large part, this is due to necessity; there are ever-increasing issues related to cybersecurity threats from all over the world. In last year’s White House OMB memo, the zero-trust maturity model was discussed relative to the public and private sector, but most specifically Federal government standards.
In the White House initiatives, the Federal government pushed improvements in efforts to identify, deter, and protect against malicious actors. Furthermore, standards and processes were outlined for taking action to protect the nation from potential cybersecurity threats. This memo and the associated executive order are extremely relevant, given multiple high-profile public sector attacks and security breaches.
A major takeaway from the Federal government was the need for better, more transparent security models, while still following zero-trust security standards. Government entities must both be transparent about their security methods while also adopting zero-trust policies. As zero-trust policies are understandably often difficult to deploy, organizations must start these transitions as early as possible—especially if they work with the public sector in any capacity.
Another core takeaway was the acknowledgment that many organizations are now using cloud-based, on-premises, or hybrid solutions. The Federal government, in fact, may have entities using cloud-based or hybrid solutions that exist on physical systems that they are not entirely or ultimately in control of. A deeper understanding of these solutions and the consequences of their use is absolutely essential.
Ultimately, the OMB zero-trust memo and OMB zero-trust strategy will provide a pathway to better security for all organizations.
The Major Barriers to Adoption to CISA’s Zero-Trust Strategy
Presently, there are some major barriers to complete cybersecurity management and zero-trust adoption. Partly, this has to do with the fragmented nature of the government. As there are many government entities and nearly infinitely more government contractors, it can be difficult to introduce new security initiatives and security standards.
But with the Cybersecurity and Infrastructure Security Agency (CISA), Intelligence Community (IC), and even Federal Bureau of Investigation (FBI) all working together, standards can be set and the organizations involved can be proactively managed. Zero-trust and perimeter-based security models are absolutely essential.
What Are the Threats Facing Government Entities?
The security threats government entities face are the same that all organizations face: malware, phishing attempts, and even social engineering. A great deal of the malware that is created is specifically designed to target public sector organizations. Other threats include phishing attacks, ransomware, and distributed denial-of-service (DDoS) attacks.
But more than that, government entities can become bogged down in legacy solutions. It can be difficult to initiate new standards, which also means it’s difficult to adjust to new threats. Organizations can’t just create new practices, policies, and solutions; they must also create practices that make themselves agile and able to pivot.
If you are a contractor working with the Federal government or if you are a government entity itself, it is absolutely essential that you adopt zero-trust policies and practices. Furthermore, you must also ensure that your systems are up to date and compliant with all relevant security standards.
The White House OMB memo is extremely important, as it sets the stage for how the Federal government intends to improve cybersecurity going forward.
What is the CISA Zero-Trust Maturity Model?
The CISA Zero-trust Maturity Model (ZTMM) is a tool for government organizations to measure their progress in adopting zero-trust security. The model has four levels of maturity, each with its own set of requirements:
1. Awareness: At this stage, organizations are just beginning to become aware of zero-trust and the need for improved security. They may be beginning to adopt some zero-trust practices, but they are not yet fully committed.
2. Basic: Organizations at this stage have a basic understanding of zero-trust and have adopted some core practices. They are beginning to see the benefits of zero-trust, but they have not yet fully implemented it.
3. Intermediate: Organizations at this stage have a good understanding of zero-trust and have adopted many best practices. They are seeing significant benefits from their zero-trust implementation, but they continue to face challenges.
4. Advanced: Organizations at this stage have fully embraced zero-trust and have achieved excellent results. They can continually adapt their security posture to changing threats and have become leaders in the zero-trust space.
The CISA ZTMM is a living document that will be updated as new best practices are identified. It is important for government organizations to periodically assess their progress and make sure they are on track to achieve advanced status.
How Does Zero-Trust Work with Perimeter Security?
The short answer is that zero-trust and perimeter security are not mutually exclusive. They can and should be used in conjunction with one another.
Perimeter security is the practice of securing the edges of a network. This can be done through physical security measures like fences and guards or through logical security measures like firewalls and intrusion detection systems.
Zero-trust, on the other hand, is a security philosophy that holds that no one should be trusted implicitly. All users and devices must be authenticated and authorized before they are given access to any data or resources.
When these two concepts are combined, it creates a much more secure environment. Perimeter security provides a first line of defense, while zero-trust ensures that only authorized users can access sensitive data.
Conclusion: Will Your Organization Meet the Goals of the White House Cybersecurity Executive Order?
The White House OMB memo is a clear call to action for all government contractors and entities to follow the CISA zero-trust maturity model and CISA zero-trust pillars. You must adopt zero-trust policies and practices if you want to do business with the Federal government. But it’s easier said than done. If your organization needs to improve its authentication standards and protection, it needs help. Axiad can provide an all-in-one authentication service for your organization—so you can keep it protected.