Agencies Tackle Obstacles to Zero Trust Implementation

As federal agencies continue their journey toward zero trust, the Cybersecurity and Infrastructure Security Agency noted several different obstacles to work through.

For one, all organizations will be in different places within implementation due to obvious differences in size and missions. Agencies should harness data strategies as a first step.

“At the end of the day, zero trust is about the data and looking at where the data is and the users that access the applications to get to that data,” said CISA Continuous Diagnostics and Mitigation (CDM) Program Manager Judy Baltensperger during a MeriTalk webinar. “Rethinking about building your network inside out — all of them must find the data that is most critical and the most critical software where that data is stored and think through this collection of concepts to move toward zero trust.”

CISA’s CDM dashboard, a federal dashboard that sits at more than 70 agencies, also offers capabilities to collect on users. Baltensperger talked about the importance for agencies to know where all their critical data is stored.

“We have discovered with CDM it’s not just one tool to solve their problems, so we need the agencies to understand their implementation plans, where are they with their current capabilities and what zero trust concepts can they implement with those current capabilities and where are their gaps?” Baltensperger said.

“You can’t just quickly say we need that one tool and blanket it across the entire government because that won’t move all the agencies that are coming from different places,” Baltensperger added.

When it comes to implementation of zero trust, Baltensperger believes a holistic approach is best. Within CDM, CISA takes a more holistic approach because each of its dashboards sits within different hosting environments.

“So with the maturity level at each agency being at different levels, we’re finding that depending on where the dashboard is being hosted, we either have the opportunity to take advantage of that zero-trust capability or move in that direction. And then in other places, we’re waiting for them to establish core foundational capabilities,” Baltensperger said.

“We also have some agencies that are leaning forward and were able to do encryption without having a VPN and then other agencies still have a VPN connection. That disparity and maturity level means we must look at it more holistically,” Baltensperger added.

In MeriTalk report about zero trust maturity, many of its 150 respondents across civilian agencies and the Defense Department reported application security to be a major challenge.

“We’re struggling because there aren’t standards across the environments. There is a system integrator with no guidance for certain capabilities and we’re finding it’s disjointed and we’re struggling to get into an alignment,” Baltensperger said. “That’s why CISA wants to get application security testing at the development stage. We want to look at what is wrong in the code and that needs to be communicated so the developer knows about the code.”

A vast majority across the DOD also feel that inventory data management is a big obstacle. One challenge is getting to the attribute access control, which means there’s a specific data element in a document, and you want to control which individuals in an organization can see that data.

For data to be properly tagged, the tagging needs to happen when data is being collected.

“If we want better tagging, it needs to happen at the collection level, and we’re not finding that. We had the tag at the ingest, and it allowed us to implement it but the level of effort from the system integrator is higher and consequently it’s more costly and less scalable,” Baltensperger said.

Finally, another obstacle for many agencies is data governance. Baltenberger advises that the core foundation of identity needs to be established at all agencies. She also encourages agencies to more broadly adopt all of the ICAM capabilities that CDM can assist and fund.

“All of the interoperability linkages are being manually created by us, and because of all that integration consequently we’re not realizing the outcomes and benefits as quickly because it’s taking us more time and also because we don’t have standardization, there’s not one size that fits all that’s working across the agencies,” Baltensperger said. “I’m going to keep encouraging the core foundations of CDM to be established, and then as those are established in the agency, we can leverage them on the dashboard and then hopefully mature a little bit faster.”