The tight deadlines featured in President Joe Biden’s cybersecurity executive order will push agencies to make “meaningful progress” on zero-trust initiatives, federal officials said.
Most agencies had started working on their zero trust implementation plans, and the White House had already begun working with the Cybersecurity and Infrastructure Security Agency to release new guidelines around advanced security systems, CISA Deputy Executive Assistant Director Matt Hartman, said at a June 30 ACT-IAC panel about the order’s impact.
Ahead of the May 12 order, the White House had been collaborating with CISA and other relevant offices to release new guidelines around the use of advanced security systems. The interagency collaboration was a critical part of an ongoing effort to get various agencies up to speed, including those that had not yet begun developing any plans around zero trust, Hartman said.
“It’s important to consider that many of these tasks [in the executive order] are sprints to develop strategies,” he said. “The administration fully recognizes that many of the core issues being addressed will only be solved through years– literally years — of focus and continued investment.
The National Security Agency, for example, released guidance for zero-trust security models ahead of the EO in late February, providing recommendations for implementation and describing the zero-trust security model as “a coordinated system management strategy that assumes breaches are inevitable or have already occurred.”
CISA also developed a zero-trust maturity model in recent weeks for agencies seeking clarity on what key targets can be used to determine progress across five pillars: identity, device, network, application workload and data. A CISA representative later said there was “nothing to share publicly at this time” on the zero-trust maturity model document.
National Security Council Director for Cyber Incident Response Iranga Kahangama said the timelines featured in the order were “aggressive but achievable.” He also described the order as an authoritative document providing clarity about the direction and speed at which the White House aimed to achieve zero trust and an improved national cyber posture.
“I think we realized with the federal government and its complexity, it’s going to take a winding path for each agency,” he said. “But what we wanted to do was really send a signal to the whole bulk of government and to industry that this is where we’re going.”
A tranche of deadlines – those 60 days out from the issuance of the order — are looming. By July 11, agencies must submit plans and milestones for implementing zero-trust architecture and report on these efforts to the Office of Management and Budget and the deputy national security adviser for cybersecurity – a position currently held by Anne Neuberger.
Despite the aggressive deadlines included in the cyber order, zero-trust guidance has been drafted to provide agencies with some flexibility around their own implementation timeframes. Hartman said CISA and the White House were working to develop “many enduring plans with additional milestones” by the 90-day benchmark included in the EO. At that time, OMB is due to issue cloud security guidance to push agencies toward zero-trust architectures.
This article was first posted to FCW, a sibling site to GCN.
