Cybersecurity strategy

Zero Trust Should Guide Agencies’ Cybersecurity Investments, NSA Official Says

Government agencies should put zero trust at the center of their cybersecurity investment strategy, according to an official from the National Security Agency.

Zero trust is a modern security model dictating that users, devices and systems should not be trusted solely due to their physical or network location or their ownership, according to the National Institute of Standards and Technology.

Neal Ziring, the technical director of NSA’s cybersecurity directorate, said that the field of zero trust has matured enough to the point where it can guide an organization’s investments in cybersecurity, FCW reported Wednesday.

He recommended that agencies implement zero trust principles in a step-by-step manner, addressing areas like authentication and data control policies one at a time. “It’s always going to be stepwise. You can’t do a flag day,” Ziring said at an event held by the Intelligence and National Security Alliance.

Zero trust is a key element of President Joe Biden’s May 2021 executive order on modernizing the federal government’s cybersecurity.

In late January, the White House’s Office of Management and Budget issued a memorandum requiring government agencies to meet certain zero trust objectives by fiscal year 2024.

OMB’s directives are based on the zero trust maturity model published by the Cybersecurity and Infrastructure Security Agency in September 2021.

CISA’s model has five major lines of effort: the adoption of enterprise-managed identities, the creation of a completed inventory of government devices, encryption of network and internet traffic, protection of internet-connected devices and the use of cloud security services for sensitive data.