Presidential advisory committee finds zero-trust push an ‘incomplete experiment’
The National Security Telecommunications Advisory Committee found the government risks zero trust becoming an “incomplete experiment” unless its principles are integrated into federal governance structures, policies and programs, in a draft report released Thursday.
NSTAC makes 24 recommendations, nine of them key, in the report with the goal of fostering a culture of zero trust in government that will ensure it becomes an enduring cybersecurity strategy, rather than just “a collection of disjointed technical security projects” — a “national imperative.”
NSTAC is a committee that provides industry-based analysis and policy recommendations to the Office of the President on how the government can improve national security and emergency preparedness telecommunications.
President Biden tasked NSTAC with conducting a three-part study into enhancing internet resilience at the same time he issued the Cybersecurity Executive Order in May 2021, requiring agencies to begin adopting zero-trust security architectures. NSTAC’s assessment of zero trust is but one part.
“Effective, lasting transformation can only be achieved through a sustained whole-of-government commitment to promoting strategic coherence, employing effective management and oversight, ensuring sustained financial investment, and fostering strong alignment of the fundamental principles of zero trust in existing federal cybersecurity programs, procedures and policies,” reads the report. “The U.S. government can, and must, act now by implementing this report’s recommendations to institutionalize zero trust and lay the foundation for a cybersecurity transformation ultimately measured in decades, not years.”
NSTAC’s key recommendations include the federal chief information security officer (CISO) and national cyber director establishing progress metrics for agencies to implement the Federal Zero Trust Strategy released in January — metrics agency CISOs or their superiors would be required to report. One such metric the Office of Management and Budget should oversee is agencies publishing one zero-trust use case with lessons learned annually and reviewing them as part of a working group convened with the National Institute of Standards and Technology, prior to updating federal policy.
OMB should have the Federal CISO Council identify governmentwide infrastructure services expected to be ubiquitous for at least five years and establish a working group to develop zero-trust maturity models protecting them, according to the report.
NSTAC also recommends OMB issue a memo clarifying how the Federal Zero Trust Strategy aligns with Federal Information Security Management Act requirements and task NIST with releasing a special publication mapping zero trust to security controls.
For its part, the Cybersecurity and Infrastructure Security Agency should establish a Zero Trust Program Office for issuing guidance, reference architectures, capability catalogs, training modules in coordination with the Department of Defense’s new Zero Trust Program Office when possible, according to the report.
NSTAC further recommends CISA create a shared security service for internet-accessible asset discovery, a new offering for agencies just beginning their zero-trust journeys, in addition to clarifying existing offerings.
NIST’s National Cybersecurity Center of Excellence should assess zero-trust technologies based on their interoperability in a special publication promoting efficient adoption. The agency should also develop and mature standards and guidelines internationally, per the report.
The last key recommendation is CISA incentivize state and local zero trust adoption with federal grants for IT security modernization.