Thoughts Regarding CISA Zero Trust Maturity Model -- Where Post Quantum Cryptography Fits In
During the Fall of 2021, QuSecure responded to a solicitation for public comment on the initial draft of the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model. The goal of CISA’s model is to assist agencies in the development of zero trust strategies and implantation. As a cybersecurity agency focused on post-quantum cryptography, QuSecure places an emphasis on zero trust as well as the need for national cybersecurity standards. It is critical that CISA and private agencies work collaboratively to implement zero trust capabilities. To this regard, please see our feedback on the Zero Trust Model below:
The Zero Trust Maturity Model is sufficient as an initial outline for the pathway toward zero trust implementation. However, more detailed guidelines for implementation and specific standards will need to be defined and distributed amongst agencies to effectively transition toward zero trust. The document serves the purpose of a high-level overview of the goals for the transition to zero trust but lacks sufficient information to help agencies begin this process now. The document states that the transition to zero trust will be slow and incremental yet there is a need for urgent change as the volume of cyberattacks on our nation continues to increase. Each day that agencies do not implement zero trust creates further risk and liability, CISA needs to make a concentrated effort to accelerate this transition and provide detailed guidelines with immediacy. Included in this document should be several initial steps that agencies can take now to expedite their transition toward zero trust, such as internal cybersecurity audits and prioritization of sensitive data. Agencies cannot afford to wait for further directives from CISA, it will be the responsibility of individual agencies to initiate this transition and CISA needs to provide the resources for agencies to begin this transition immediately.
During the initial stages of zero trust implementation, it is important to clearly define the three crosscutting capabilities: Visibility & Analytics, Automation & Orchestration, and Governance. Agencies must advance all three capabilities to minimize vulnerability and maximize compliance. However, as the five pillars (Identity, Device, Network/Environment, Application Workload, and Data) develop incrementally toward Optimal Zero Trust Architecture (Optimal ZTA), these crosscutting capabilities will become interdependent and indistinguishable. In an optimal ZTA, Governance, Visibility, and Orchestration are automated processes with each capability building on the others. This optimal architecture will increase efficiency while offering the highest level of zero trust and compliance. For instance, Table 1: Identity Pillar defines Optimal Governance Capability as “Agency fully automates technical enforcement of policies. Agency updates policies to reflect new orchestration options.” Ideally, an agency would integrate technical enforcement of policies and centralized visibility within the automated architecture thereby eliminating the need to delineate the two capabilities. Delineation of the three crosscutting capabilities is important for the initial implementation of zero trust, but CISA needs to clearly define Optimal ZTA as an automated architecture that integrates all three capabilities simultaneously. Additionally, CISA needs to define the prioritization and hierarchy of these pillars and capabilities. Agencies will need to identify and prioritize the most sensitive components of their network to expedite the transition to zero trust. This process will require agencies to conduct internal audits of their systems to assess which components are most vulnerable and which will require zero trust capabilities most urgently. Without defined prioritization of the pillars and capabilities, it will be difficult to maintain and enforce compliance across agencies.
Clearly defining the pillars will be crucial to the successful implementation of the zero trust model. The best-defined pillars are Identity and Devices, these pillars should act as initial steppingstones for full ZTA implementation. Already, tools like multifactor authentication and unique device identification systems are in use and serve as important tools for agencies with limited resources to implement zero trust. There is a role that should be highlighted where trust relationships between authenticating and authorizing applications or networked devices create a strong one-to-one connection for a more secure channel, with a specific requirement to prevent the attacker from using replay after the session is initiated and checks for multiple session connections using the same authentication relationship.
The Network, Application Workload, and Data pillars need to be more clearly defined as all three of these pillars include components of the Identity and Devices pillars within their respective scopes. Network should be defined strictly as the communication channels between devices and app layers and CISA should work collaboratively with NIST to develop standards for these communication channels to prevent a variety of attack vectors. As CISA continues to roll out guidance for zero trust implementation, the Application and Data pillars will need to become more specific. There is an emphasis on encryption within the Data pillar, however, the encryption standards are not clearly defined. CISA and NIST must align their standards for encryption so that agencies develop encryption architecture within the evolving standards of NIST, specifically regarding post-quantum cryptography. really must be looking at how to better manage long-duration duration past the perfect forward secrecy schema. There is a limited understanding of the need for post-quantum cryptography across agencies, therefore it will be critical that CISA creates awareness of the NIST post-quantum cryptography standardization project and issues implementation guidelines that require the use of NIST approved post-quantum algorithms. Furthermore, CISA should include several options for agencies to start implementing post-quantum cryptography now and make agencies aware of the options that are currently available.
To support the transition to zero trust, the Zero Trust Maturity Model needs to define timelines and specific standards across the five pillars. Without concrete details, agencies are likely to continue operations with their existing cybersecurity architectures until otherwise directed. CISA needs to define tangible and realistic milestones that agencies can work toward. The Zero Trust Maturity Model is an important billboard announcement to the public, but it does not meet the needs of agencies looking to transition to zero trust immediately. CISA will need to incorporate specific instructions for agencies looking to begin their transition to zero trust now if we are to achieve full zero trust implementation within an acceptable timeframe.