NSA issues zero trust guidance, urging DOD and contractors to adopt model
The National Security Agency issued a cybersecurity information sheet Thursday with instructions for defense agencies and contractors on how to set up a zero-trust network architecture.
In it, NSA urges the entirety of the Department of Defense and its contractors to implement zero trust for sensitive systems to better prevent data exfiltration.
“NSA strongly recommends that a Zero Trust security model be considered for critical networks to include National Security Systems (NSS), Department of Defense (DoD) networks, and Defense Industrial Base (DIB) systems,” according to the cybersecurity information document.
The push to zero trust — where compromise is assumed and users are asked to verify their identity as they move around a network — has grown stronger after the discovery of the massive SolarWinds hack last year. The penetration of sensitive network components by suspected Russian hackers in the breach was another dire example of cybercriminals gaining wide access to information once in a network.
“Adopting the Zero Trust mindset and leveraging Zero Trust principles will enable systems administrators to control how users, processes, and devices engage with data,” NSA said in a release. “These principles can prevent the abuse of compromised user credentials, remote exploitation, or insider threats, and even mitigate effects of supply chain malicious activity.”
The seven-page document is just the beginning of the reference architecture the NSA plans to release to help contractors and DOD components move to a zero-trust model. The agency teased late last year a reference guide it has been working on in partnership with the Defense Information Systems Agency that it plans to release in 2021.
The document includes the pitfalls and challenges associated with its implementation. A lack of commitment by leadership to enterprise wide adoption is primary among those challenges listed in the document.
“With the pervasive need for Zero Trust concepts to be applied throughout the environment, scalability of the capabilities is essential,” the document states.