Zero trust adoption ‘really is a journey’ for agencies, says CISA head Jen Easterly

The Cyber Infrastructure Security Agency understands that adopting a zero-trust architecture is a major challenge for some government agencies and is continuing to seek feedback on its recently published implementation guidelines, the agency’s head Jen Easterly said Tuesday.

“We know that it really is a journey. Some organizations that are just on the front end of re-architecting their networks, so we wanted to give them benchmarks to get to, in how they advance in maturity,” Easterly said at the Amazon Web Services D.C. Summit.

CISA earlier this month published Zero Trust Maturity Model and Cloud Security Technical Reference Architecture documents, which are intended to give agencies benchmarks as they adopt the new approach to security in the age of the cloud. The agency is seeking feedback from federal technology experts on the documentation, and respondents have until Oct. 1 to comment on the documentation.

Easterly emphasized also that the agency is seeking to foster open channels of communication both with the private sector and other branches of the federal government. Through its recently launched Joint Cyber Defense Collaborative, CISA is seeking to increase information sharing about current cyberthreats with the private sector.

Federal departments worked fast to adopt zero-trust infrastructure following the Biden administration’s cyber executive order in May, which gave agencies just 60 days to adopt their zero-trust plans, with an emphasis on accelerating the purchase of secure cloud services.

CISA’s guidance documents are accompanied the publication of a draft zero-trust strategy by the Office of Management and Budget, which sets out priorities for civilian agencies rolling out the cybersecurity architecture in the coming years.