At a glance.
- US officials wait for establishment of Cyber Safety Review Board.
- CISA works to revise its zero-trust maturity model.
- OMB tells all Executive departments and agencies to implement a zero-trust strategy by FY2024.
- Proposed bill would make CISA CISO central.
The US Cyber Safety Review Board remains aspirational.
US President Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity, signed last May, called for the Department of Homeland Security (DHS) to create a Cyber Safety Review Board to investigate major cyberincidents like the massive SolarWinds espionage operation. However, SecurityWeek notes, the safety review board still hasn’t been established, despite the Biden administration’s other efforts to focus on the country’s cybersecurity. Officials are voicing their concerns that the lack of a board and the resultant delay of critical cyber investigations could be a threat to national security, especially with the conflict between Russia and Ukraine signaling the potential for nation-state cyberattacks. Senator Mark Warner, leader of the Senate Intelligence Committee, stated, “We will never get ahead of these threats if it takes us nearly a year to simply organize a group to investigate major breaches like SolarWinds. Such a delay is detrimental to our national security and I urge the administration to expedite its process.” When asked about the delay, DHS said it’s making progress on setting up the board and that a “near-term announcement” could be expected.
Neil Jones, Cybersecurity Evangelist at Egnyte, also isn't happy over the delay in setting up the board:
"The delay in creation of the Cyber Safety Review Board is inadvertently a big win for potential cyber-attackers. Imagine a world in which transportation incidents like plane crashes were never deeply investigated by expert panels such as the National Transportation Safety Board, meaning we’d never learned key lessons from the incidents that could be applied to prevent future issues. That is where we currently stand. Our previous advice is more pertinent than ever:
"1) Overall governmental and industry requirements need to be strengthened.
"2) Organizations need to pursue data-centric security strategies that effectively secure and govern sensitive data (particularly for mission-critical supply chain relationships).
"3) Smaller organizations need to remain vigilant. Techniques that cyber-attackers utilize on larger organizations will continue to be adapted for use on smaller organizations, since they usually employ smaller security teams and have less advanced security controls. When the board is officially announced, I strongly recommend that it should begin reviewing cyber-security incidents and sharing its findings with the industry ASAP.”
CISA revises its zero trust maturity model.
FCW focuses on another important aspect of Biden’s cybersecurity executive order: the implementation of zero trust architectures in the systems of federal agencies. A US Cybersecurity and Infrastructure Security Agency (CISA) official said Tuesday that the agency is working on revising its zero trust maturity model. Grant Dasher, a CISA identity and access management expert, said that while the updates are being considered, CISA is urging agencies to focus on other important recommendations like implementing multi-factor authentication. "That is a significant value add on its own, and it's a foundational piece of zero trust," Dasher stated.
The results of a report on zero trust implementation conducted by Merlin Cyber and MeriTalk titled “Zeroing In: 2022 State of Federal Zero Trust Maturity” were just released. Over one hundred fifty federal cybersecurity decision makers were surveyed about the federal government’s zero trust plans, and the results indicate that 70% of federal agencies are “aggressively adopting” zero trust principles, while another 26% are taking a more selective approach. When asked about the feasibility of the government’s zero trust goals, 92% said recent federal initiatives increased their confidence in the implementation of zero trust, though 87% said they feel agencies are being pushed to act too quickly for effective implementation. Respondents noted that centralizing cybersecurity tools, integrating new solutions with older systems that rely on implicit trust, and the necessary staff training could present challenges for zero trust implementation.
The US Office of Management and Budget moves Executive Branch toward zero trust.
The Office of Management and Budget (OMB) today issued a memorandum to the heads of Executive departments and agencies that "sets forth a Federal zero trust architecture (ZTA) strategy." Federal agencies will be expected "to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns." Agencies have sixty days from the memorandum's publication to incorporate its specific requirements into their zero-trust implementation plans, and to provide CISA and OMB a compliant "implementation plan for FY22-FY24 for OMB concurrence, and a budget estimate for FY24. The end-state OMB envisions is "a Federal Government where":
- "Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
- "The devices that Federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
- "Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
- "Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
- "Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information."
Randy Watkins, CTO at CRITICALSTART, emailed an explanation of zero trust and why it matters:
“Zero trust is a very secure, but potentially disruptive, security model that assumes every user and asset is compromised, and every action is malicious. It’s extremely effective at preventing attacks but can also be effective at negatively impacting the organization. The first step in an implementation of a security framework as impactful as Zero-Trust is to assess the organization, its users, assets, and applications to understand the baseline of expected communications and permissions.
"A properly-implemented Zero-trust architecture is not dependent on signatures or attacker Tactics, techniques, and procedures (TTPs), which make it more effective at detecting or preventing unknown attackers and attacks.
The biggest risk is improper implementation and over-permissioning to accommodate nuance in necessary access. Additionally, while Zero-trust is extremely effective at minimizing the scope of the breach, individually compromised machines can still pop up.”
Proposed legislation would designate CISA as Chief Information Security Office.
Members of the US House Oversight and Reform Committee have introduced a bipartisan bill aimed at codifying the duties of the federal chief information security officer, a role currently held by Chris DeRusha. A summary released by the committee explains that the legislation “clearly assigns federal cybersecurity policy development and oversight responsibilities to the Office of Management and Budget (OMB), operational coordination responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), and overall cybersecurity strategy responsibilities to the National Cyber Director.” Some lawmakers, however, feel the bill’s call for CISA to become a federal Chief Information Security Office could lead to confusion over whether CISA or OMB are in charge of certain tasks. At a recent event, Representative John Katko of New York stated, “We can't have 130 CISOs in the federal government. We need CISA to be that quarterback and that CISO.” Former Federal CISO Grant Schneider told Nextgov, “The federal CISO position, just like the federal CIO position, is primarily focused on policy development and oversight for all federal civilian agencies. As such, it’s not going to be inside one agency, it's going to be at OMB, that's the way we're structured today. So, in my opinion, you need to ask people for more clarity when they say things like, 'the CISO should be here' or 'it should be there.' I would ask questions around what roles and responsibilities and duties they think should be performed by each organization."