NIST Says Federal Agencies Struggling to Achieve Zero TrustAgencies Face Array of Implementation Challenges While Racing Toward 2024 Deadline
U.S. federal agencies have less than a year to show they can meet the basic requirements of zero trust architecture, but most of them are still grappling with the preliminary step of figuring out what's on their networks, a federal official said Thursday.
President Joe Biden in May 2021 signed an executive order prioritizing zero trust, the security framework that subjects users and assets to repeated revalidation. The White House in implementation guidance gave agencies until next September to complete zero trust tasks such as improving identity systems and access controls.
Alper Kerman, a National Institute of Standards and Technology security engineer and project manager for the National Cybersecurity Center of Excellence, said that most agencies are hung up at the stage of assessing a complete inventory of every device operating on their networks.
"In order to build the right ZTA solution for your organization, you have to analyze," Kerman said at an event focused on achieving zero trust hosted by Nextgov/FCW. Most agencies lack comprehensive insights on their network components, information systems, types of users, usage patterns and more, he said - leaving federal networks vulnerable to sweeping cyberattacks.
The NIST National Cybersecurity Center of Excellence is spearheading a project with industry collaboration to develop a set of best practices and guidance on achieving zero trust for federal agencies. The forthcoming guidance, published under the rubric of SP 1800-35A, is set for publication next, Kerman said.
Even with an asset inventory at hand, agencies often struggle to decide which devices to keep in their environments, according to Kerman.
While some technologies already installed on federal networks may feature zero trust capabilities, Kerman said most agencies will inevitably have to procure new software and services, which can potentially become a costly and time-consuming hurdle.
Legacy systems are a major challenge for many organizations, Kerman said, "because we cannot 'lift and shift' and drop them in a ZTA environment [and] then expect that environment, its functionalities and applications to work."
Instead, agencies will need to play the long game in order to successfully achieve zero trust. That means investing in the right tools and technologies and training the workforce to ensure all stakeholders are doing their part to protect federal systems, he said.
"When security breaches happen, they impact all of us," Kerman said. "So everyone in the organization needs to understand the benefits of zero trust and how to support it because it will have an impact on how we work together."