Zero-Trust

​CISA Guidance for Zero-Trust

The federal government has once again shown that they are putting a greater emphasis on cybersecurity now in the wake of the events of the past year. Following the executive order put out by the White House in May as well as a memorandum signed by the president back in late July , CISA has put out guidance regarding a transition of the federal government to use of Zero-Trust architecture across every agency.

More specifically, CISA is giving agencies until the end of the fiscal year in 2024 (September 2024) to establish five key principles of Zero-Trust architecture into their systems. This includes the requirement that agencies begin the development of an implementation plan for these principles and submit said plan within 60 days of the release of this document. Agencies are expected to comply to the following:

1. Identity: Agencies are required to consolidate their identification systems and methods for their personnel. Single sign-on will be implemented to only require users to only have to use one set of credentials once per day to gain access to the network. MFA (multi-factor authentication) will also be required to ensure greater security in logins and phishing. Lastly, CISA will provide methods by which agencies can check personnel passwords for data breaches that will show any potential breaches in the system.

2. Devices: It is a necessity for government agencies to have a greater understanding of what devices are being used to access their system. As such, CISA is requiring a full inventory of devices that access the network to be created by these agencies to provide a better view of each agency’s network landscape. As well, the privileges of these devices will be built upon the principle of least-privilege, which attempts to give end users the bare minimum privileges that they need to do their job to help in case of breach. Lastly, it is also required that any devices that gain access to an agency’s system must have an endpoint detection and response tool (EDR) in case of attack on the device.

3. Networks: One of the key tenets of Zero-Trust Architecture is that no network can be trusted. As such, all network traffic, including internal network traffic, should be encrypted in transit to ensure it is unusable in the case of an attack. As well, government agencies should ensure that every .gov domain must utilize HTTPS to ensure that HTTP traffic is encrypted. Email encryption and network segmentation are also key tenets of this area of focus.

4. Applications: Every application must be treated as though it is web accessible. Serious testing of every application should be done accordingly to make sure it is up to security standards, and a third party must be brought in to assist in this testing. A vulnerability disclosure program must be maintained for potential flaws to be exposed, and CISA will provide an inventory of web application and .gov domain that is in use and expects every government agency to provide the names of any non-.gov domains in use.

5. Data: Government agencies control large amounts of data and need to categorize this data to make sure that it is as protected as possible. This requires an assessment of the current inventory and layout of not only data in databases, but also secondary data such as email and document collaboration. They must then follow the new guidelines set out for how to categorize and protect data, which includes protecting access to sensitive documents as well as encrypting data at rest within the cloud.

Overall, the transition of the federal government to Zero-Trust is long overdue, but this guidance by CISA will help push agencies in the correct direction and provide an increased level of security that was severely lacking in the past.

Interested in Zero Trust – CIT can help.

CIT assesses your CyberSecurity posture and overlays it with the most likely attack vectors based on MITRE and CIS Controls; allowing budgets to be directed to the highest priority vulnerabilities. Assessments, Remediation, Co/Fully Managed Security & MSP. Will your CyberSecurity pass the challenge?

Written by Michael Honrine

Comments are closed

Learn More

Learn More
error: Alert: This Content is protected!