NIST Zero Trust Guidelines: What CISOs Want to See

Posted by Marbenz Antonio on October 3, 2022

Why getting microsegmentation right is key to zero trust | VentureBeat

Federal agencies in the United States have long lagged in terms of cybersecurity. To get things moving across the agencies, President Joe Biden had to issue an executive order. The government program also acts as a wake-up call for businesses that are slow to implement NIST Zero Trust.

The National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB), and the Cybersecurity and Infrastructure Security Agency (CISA) all replied to the president’s order by providing specific instructions for government agencies. The National Cybersecurity Center of Excellence published instructions on using a zero trust architecture as well as sample methods.

According to the OMB, federal departments and agencies have until 2024 to implement zero trust. Five pillars for zero trust have been identified by CISA: identity, devices, networks, applications and workloads, and data. Summary; strategy, architecture, security characteristics; how-to guides; and functional demonstrations are the four phased volumes that NIST intends to release with its guide. Cybersecurity professionals are closely monitoring them as they might offer clear best practices and guidelines for rollouts.

Benefits of Following CISA’s Advice

CISA emphasized that this advice benefits organization of all kinds, not only government agencies, and offers a wide range of advantages.

Chief information security officers (CISOs) well-versed in the specifics of zero trust are aware of the objectives of the government’s zero trust push:

  • Stop depending on secure perimeter defenses. Thanks to remote work, cloud computing, mobile devices, and the Internet of Things, clear perimeters no longer exist for the majority of enterprises.
  • Ensure that security and access are not reliant on a specific place. Therefore, neither insiders nor outsiders are necessarily welcomed nor excluded.
  • Having access to one resource does not automatically grant you access to any further lateral resources.
    Strong data encryption, better central insight into who is accessing what, and enhanced cybersecurity procedures are additional factors.

The Challenges of Meeting NIST Zero Trust Requirements

Zero trust is a “set of concepts and ideas meant to decrease uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network seen as compromised,” according to NIST.

Unfortunately, according to a poll by General Dynamics Information Technology, fewer than half of federal agencies are anticipated to complete all zero trust requirements by the target date of 2024. The poll also revealed that 58% of participants said one of the biggest obstacles to utilizing zero trust was having to rebuild or replace the current legacy infrastructure. Additionally, nearly half (48%) said that their agencies lacked the necessary knowledge.

Legacy infrastructure is therefore a big problem. The habits that accompany it as well as the infrastructure itself are to blame for this. The transition will be difficult in part due to the way that governments organize and categorize their datasets.

A further difficulty is training. Take note of the infamous “skills gap.”

Ja’Nelle Devore, CISO of the Department of Agriculture, stated that “we have enough employees, the issue is training.” “You have to re-integrate how they work when you have multiple tools that will be a part of your zero trust utilization.”

The next question is: How can zero trust be implemented while yet maintaining or accomplishing regulatory compliance goals? Start by coordinating the zero trust strategy with the regulations. (The NIST recommendations will encourage the partnership of compliance and zero trust efforts.)

Finally, not all vendors often used by U.S. government agencies are prepared to support or implement zero trust.

A Hands-On Team Effort

The NIST zero trust program of the government makes clear that zero trust cannot exist in a vacuum. Changing authentication and security also necessitates changing staff training, legacy data management, and regulatory compliance. It necessitates changing the IT infrastructure, namely the cloud security plan.

What applies to federal agencies also applies to businesses who want to quickly adopt zero trust.

NIST Zero trust is not a set-it-and-forget-it idea, the truth be told. It requires constant modification.

Regarding funding, the mandates fall short given other priorities. Better direction is generally needed for the government mandates about the specifics of minimizing tool sprawl.

In the end, it doesn’t give clear instructions on how to establish authentication. It’s also necessary to find solutions to problems like those involving biometrics and privacy. Zero trust necessitates continual identity verification for both authorized workers and non-employees.

How the NIST Zero Trust Guidelines Can Help

The fact that NIST and the other agencies’ materials and recommendations assist normalize, explaining, and defending industry investments in zero-trust systems is one of their most significant advantages. The era of nerdy, isolated voices advocating complete distrust has long since passed. These days, it is the subject of presidential executive orders on emergencies and complete federal government reform.

Organizations that refuse to participate will pay the price. The moment has come to include quotations from and references to official NIST documents, guidelines, white papers, and even executive orders in C-suite and board-meeting pitches for zero trust investing. This strengthens leadership alignment, which is at the moment the main barrier to zero trust in top companies.

Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights