• United States



Chris Hughes
Contributing Writer

8 takeaways for CISOs from the NSTAC zero-trust report

Mar 10, 20226 mins
CSO and CISOZero Trust

The zero-trust recommendations for federal agencies from the National Security Telecommunications Advisory Committee apply well to the private sector, too.

zero trust security model secured network picture id1313494602 2
Credit: iStock

Any doubts around zero trust are being squashed by the flurry of zero-trust-focused publications, memos and guidance from government organizations. Hot on the trail of the Federal Zero Trust Strategy comes the Zero Trust and Trusted Identity Management report from the National Security Telecommunications Advisory Committee (NSTAC) headed to President Biden.

The report does an excellent job summarizing the history of zero trust, originating in the private sector, as well as the slew of zero-trust efforts, guidance and requirements that continue to stream from authoritative government sources. One was the Cybersecurity Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, which tasked NSTAC to focus on key issues, including zero trust and trusted identity management.

The report also emphasizes some of the challenges and enablers to zero-trust implementation, neither of which are strictly applicable to the federal government, but also can apply to the private sector as well. This includes the need to apply proper oversight and maturity metrics, transparency, and a need for a focus on continuous improvement. 

These are eight of the report’s key takeaways for both public- and private-sector security leaders from the NSTAC report.

1. Zero trust is a long-term, transformational commitment

Among the most prominent key takeaways is the affirmation that zero trust is a transformational effort that will require a commitment measured in a decade and beyond. This will include industry and organizational policy changes to drive a culture of zero trust and to begin the monumental task of fundamentally re-architecting the way organizations’ technology systems are structured. Keep this in mind when you’re being pitched the next hot widget that vendors claim will make you “zero trust compliant” overnight.

2. Strong zero-trust guidance is available: Use it

If you want to be knowledgeable about zero trust, lean into established guidance and publications. This includes sources like NIST 800-207: Zero Trust Architecture, DoD’s Zero Trust Reference Architecture, NSA’s Embracing a Zero Trust Security Model, CISA’s Zero Trust Maturity Model, and OMB’s Federal Zero Trust Strategy. While these sources are inclusive of every possible source of zero trust guidance and documentation, it certainly can help you get a solid understanding of both the nature of the problem drawing an entity as large as the federal government to the Zero Trust model and the strategy, recommendations and targets that the Government is aiming for.

The report pulls from other sources such CISA’s and NSA’s 5G Cloud Security guidance, which emphasizes fundamental aspects of zero trust such as encryption, microsegmentation, strong authentication and the transformative role that cloud computing can play when it comes to pursuing zero-trust implementations.

3. Have an implementation plan

Like any other long-term, strategic project, zero-trust implementation requires a plan. The NSTAC guidance lays out a five-step process for zero-trust implementation:

  1. Defining Your Protect Surface
  2. Map the Transaction Flows
  3. Build a Zero-Trust Architecture
  4. Create Zero Trust Policy
  5. Monitor and Maintain the Network.

This process both emphasizes the iterative and time-intensive process of working toward zero trust and squashes some of the myths that you can simply buy zero trust.

4. Align zero-trust strategy with compliance requirements

There’s also no denying that the push for zero trust is a cumbersome process. One that requires a commitment of resources in terms of capital, time and human effort. This push doesn’t negate existing requirements such as those related to compliance. The report stresses the need to clarify and bring alignment between the zero-trust strategy and existing compliance requirements, such as FISMA in the government’s case.

Organizations already struggle with these existing reporting and compliance requirements, so without an alignment between the two, organizations will be destined to fail. A key recommendation is for NIST to map controls from 800-53 to zero trust, so that the efforts work in tandem rather than in isolation.

There’s also the reality that as organizations begin their efforts to re-architect and design their systems and networks for zero-trust alignment, efforts around compliance and authorization may need to be conducted again. Without implementing automation in these cases, agencies and organizations will drown in the two efforts being executed in parallel. Anyone who has done IT compliance work in the federal sector knows how burdensome it is, and zero trust if done in isolation will just add to that workload.

5. Establish a zero-trust program office

Other key recommendations and enablers include the need for a zero trust program office and maximizing the use of shared services in key domains. The Department of Defense (DoD) recently announced that it was standing up a zero-trust program office. The NSTAC report calls for the federal government to do the same. This is to help created a dedicated location to host implementation guidance, architectures, playbooks and more.

This will provide the federal government with a centralized location for agencies to lean into and leverage to expedite their own independent efforts on zero-trust implementation. Commercial organizations can do something similar, especially large enterprises with disparate business units who often act in silos. Zero trust is an enterprise and organization-wide effort which requires a central location for cohesion.

6. Share security services for certain functions

Building on the need for a centralized program office is the recommendation to share security services for specific functions such as internet-accessible asset discovery. IT/Cybersecurity-shared services can offer myriad benefits for agencies and organizations alike. This includes cost/licensing efficiencies, improved visibility and increased effectiveness.

Tool sprawl and siloed solutions fail to help usher in the sort of enterprise-wide visibility and impact that is needed to help make zero trust a success in large organizations, especially such as the federal government and DoD. Specifically tied to the tool sprawl reality is the recommendation that zero trust has led to market hype and vendor buzz. However, the NSTAC report points out that multiple solutions leads to both management complexity and end-user integration and friction challenges. All of which can certainly hamper zero-trust success.

7. Use cloud services to accelerate zero-trust adoption

If you’ve been in IT for the last several years, you know that cloud matters a lot. The push for zero trust is no exception with NSTAC stating that, “Faster adoption of cloud services will significantly accelerate federal agencies adoption of zero trust”. The benefits run the gamut across areas such as data, identity and automation. Cloud adoption can also help agencies and organizations struggling with the growth of the remote workforce.

8. Effective identity management is crucial to zero-trust success

One of the last key takeaways is the emphasis on just how fundamental identity is for zero trust. This includes both person and non-person entities. The guidance stresses the need for modern identity management solutions that align with the modern cloud-native and remote workforce environment both federal and private sector organizations find themselves in. A great place to start is NIST 800-63-3: Digital Identity Guidelines.

This article covers only a handful of the recommendations and insights around the opportunities and challenges of zero-trust adoption in government, but the NSTAC report a good place for any organization to start with zero trust.

Chris Hughes
Contributing Writer

Chris Hughes currently serves as the co-founder and CISO of Aquia. Chris has nearly 20 years of IT/cybersecurity experience. This ranges from active duty time with the U.S. Air Force, a civil servant with the U.S. Navy and General Services Administration (GSA)/FedRAMP as well as time as a consultant in the private sector. In addition, he also is an adjunct professor for M.S. cybersecurity programs at Capitol Technology University and University of Maryland Global Campus. Chris also participates in industry working groups such as the Cloud Security Alliances Incident Response Working Group and serves as the membership chair for Cloud Security Alliance D.C. Chris also co-hosts the Resilient Cyber Podcast. He holds various industry certifications such as the CISSP/CCSP from ISC2 as holding both the AWS and Azure security certifications. He regularly consults with IT and cybersecurity leaders from various industries to assist their organizations with their cloud migration journeys while keeping security a core component of that transformation.

More from this author