Across the federal IT landscape, Zero Trust Architecture (ZTA) has become a principal topic of conversation. In its 2021 Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, the National Security Agency explains zero trust as "a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy.” Taking the stance of “never trust, always verify,” zero trust requires authorization at each system resource. Authorization is explicit, not implicit.
The Continuous Diagnostics and Mitigation (CDM) program was not initially established as a zero trust solution, per se. As it happens, CDM provides some foundational elements that align directly with risk management and zero trust efforts.
The CDM program is covered as foundational in Executive Order 14028, “Improving the Nation’s Cybersecurity the Federal Zero Strategy Memo (OMB M-22-09); and is covered in NIST SP 800-207 and the Zero Trust Maturity Model. The Zero Trust Maturity Model, in particular, highlights the four CDM capability families of asset management (AM), identity and access management (IdAM), network security management and data security management.
Using CDM capabilities to support a zero-trust transition
Adopting a zero trust architecture requires leaders across the agency to evaluate their technology, processes and management approaches through a zero trust lens. What existing tools will support ZTA? What capability gaps exist and what is the best way to address them? This is the responsibility not only of the Chief Information Security Office (CISO) and the CDM Program Office but of system and process owners across the agency.
Agencies participating in CDM can leverage many of the program’s capabilities and planned implementations to accelerate their transition to zero trust. CDM has already equipped cyber leaders with key elements of the zero trust architecture. The CDM agency dashboard advances the agency's visibility and analytics into key aspects of its digital infrastructure. At the enterprise level, cyber leaders can extend this foundation to achieve automation and orchestration by increasing integration between existing tools.
So, where should cybersecurity leaders start when planning their journey forward with ZTA? Start with those capabilities within the five pillars of zero trust--devices, users, networks, data and application workloads--where you already have some level of maturity.
In particular, the AM and IdAM components, which are currently in place in the CDM program, provide accurate and timely data to the policy decision point (PDP) and policy enforcement point (PEP) mechanisms with regard to dynamic access decisions. From an AM perspective, actual state data concerning a device’s configuration, authorization status and more may be used by PDPs to ascertain a device’s fitness for access. In a similar manner, PDPs may use training status, credential status and more to make informed decisions around a user’s fitness for access.
As a system or process owner within an agency, what should you do? Our advice to leaders across the Federal Civilian Executive Branch: Take CDM capabilities into account when developing zero trust strategies. When you understand your gaps, you can make an informed plan, using CDM capabilities as foundational elements, to help you on your zero trust maturity journey.