NIST Zero Trust: Why the Government Recommends This Approach
In a move that may have grown out of frustration as well as protecting national security, the federal government announced its intention to go all-in on zero trust cybersecurity measures. During a recent symposium, Pentagon officials pushed its implementation across the U.S. Department of Defense (DoD) and military industrial base by the end of fiscal year 2027. Fast-tracking NIST zero trust architecture across governmental agencies and private-sector businesses appears to be driven by America’s adversaries successfully orchestrating data breaches on government agencies, such as the following.
- Office of Personnel Management Breach: In 2015, foreign threat actors managed to steal the personal information of more than 22 million government workers. The hack exposed current and former employees at the time.
- Democratic National Committee (DNC): Russian hackers allegedly infiltrated the DNC due to a weak password and username. The committee did not have data access restrictions in place to prevent foreign agents from stealing critical and sensitive information that embarrassed the U.S. government. They reportedly published government emails on WikiLeaks.
- SolarWinds Supply Chain Attack: In 2020, hackers succeeded in launching a supply chain attack that impacted thousands of private-sector and government agencies. Sophisticated and, potentially, well-funded threat actors managed to breach the Department of Homeland Security, the State Department and the Department of the Treasury.
- Colonial Pipeline: A ransomware attack on the Colonial Pipeline effectively shut down the flow of passenger vehicle gasoline, truck diesel and limited airplane fuel in the Mid-Atlantic states. The supply chain disruption exposed inherent private-sector infrastructure vulnerabilities in 2021.
The zero trust rollout comes in the midst of the DoD’s Cybersecurity Maturity Model Certification (CMMC) timeline. Defense contractors and military supply chain organizations are tasked with meeting stringent cybersecurity measures, largely based on National Institute of Standards and Technology (NIST) guidelines. Ambitious, to say the least, the federal government now wants wide-reaching government agencies and select private-sector corporations to adopt NIST zero trust protections. For those operations impacted by NIST zero trust and CMMC, knowing why may be as important as enlisting the support of a third-party cybersecurity firm to gain compliance.
What is Zero Trust Architecture?
When business professionals outside the managed IT and cybersecurity industry hear the term “Zero Trust,” it can come across as a negative. At first blush, it makes CEOs hesitant because it sounds like they would be declaring personal suspicions about staff members. Getting past that misnomer, zero trust has little to do with having confidence that employees are honest, hard-working people. It’s a unique way to better protect sensitive and valuable digital assets in the cloud-based data age.
One of the primary reasons the feds are advocating for NIST zero trust architecture stems from the fact it serves cloud-based and remote operations better than traditional perimeter defenses. Before the cloud emerged as a more cost-effective way to store data and access programs, defending the attack surface made perfect sense for in-house networks. Security measures such as enterprise-level anti-virus software, firewalls and cybersecurity awareness training hardened a company’s defenses.
The rise of the cloud and the pandemic advancing remote workforces pushed data out of physical company systems. Considered a watershed moment in terms of storing, transmitting and defending digital assets, perimeter walls simply could not protect against hackers breaching handheld employee devices, running private Wi-Fi schemes and intercepting transmissions from weak virtual private networks. Zero trust policies, in contrast to perimeter security, assume cybercriminals will find a way into the system. It places strong defensive policies such as the following in place to deter hackers. It also adds a fallback position that assumes hackers will win some attack surface skirmishes.
- Multifactor Authentication: Sending a code to a secondary device before a network user gains access remains a tried-and-true defensive mechanism. Even though digital thieves may be able to ascertain someone’s login credentials, it’s seemingly impossible to receive or guess the code. Multifactor authentication serves as a significant hacking threat deterrent for remote and cloud-based workforces.
- Least Privilege Access: The principle of least privilege access is a clear-minded cybersecurity defense that accounts for the growing number of successful cybersecurity attacks. In 2023, more than 340 million people were impacted, and the number of attacks rose 72 percent over the previous two years. The average cost to companies, per incident, exceeded $4.4 million. Least privilege access assumes hackers will continue to devise new schemes to leverage employee login credentials. That’s why each user profile comes with strict data and program limits that also hamstring intruders.
- Ongoing Verification: Zero trust cybersecurity accounts for the rise in remote workers and the need for key stakeholders to access a business or governmental agency’s data from anywhere. Cybersecurity experts usually advise industry leaders to include endpoint device verification protocols. This zero trust facet requires device recognition before allowing a login attempt to move forward. Part of the policy may also include geolocation detection to ensure foreign actors cannot breach government agencies, DoD contractors and military supply chain organizations, among others.
Another key NIST zero trust component involves micro-segmentation. This practice separates various types of digital assets within a network. Financial records, personal identity information and trade secrets, among others, are placed in separate areas and secured. Metaphorically speaking, they are protected by digital walls that even advanced persistent threats would find challenging to overcome.
How We Arrived at NIST Zero Trust Cybersecurity
The DoD had been hard at work developing cybersecurity measures to exceed those of perimeter defenses even before the term “zero trust” was coined. In 2004, the DoD and Defense Information Systems Agency published the concept of shifting away from the perimeter paradigm. The prevailing thinking was to create a cybersecurity model that would establish virtual obstacles across the digital landscape.
Known as Black Core two decades ago, cybersecurity experts allowed themselves to humbly accept the fact that well-funded and highly trained enemies would continue to evolve their cyberattack methods, occasionally breaching systems. The best way to protect national security was to introduce a fail-safe strategy that limited access to critical information once the invaders breached the castle walls. The term “zero trust” was later used to describe the wide-reaching techniques used to constrain hackers from rogue nations. NIST Special Publication 800-207 speaks to the federal government’s efforts to encourage zero trust measures.
Federal agencies have been urged to move to security methods based on zero trust principles for more than a decade. The feds advanced the effort to further zero trust capabilities and policies through vehicles such as the Federal Information Security Modernization Act (FISMA) followed by the Risk Management Framework (RMF); Federal Identity, Credential and Access Management (FICAM); Trusted Internet Connections (TIC) and Continuous Diagnostics and Mitigation (CDM) programs. All of these programs aim to restrict data and resource access to authorized parties,” according to NIST Special Publication 800-207.
In 2023, NIST published the Zero Trust Architecture Model for Access Control in Cloud-Native Applications in Multi-Cloud Environments. This NIST Special Publication 800-207A outlines the basic tenets and current thinking about zero trust for the expressed purpose and turning the concepts into a determined cybersecurity reality.
DoD Zero Trust Recommendations
Although the federal government appears wedded to building a comprehensive zero trust landscape, the DoD continues to vocalize its insistence and lead by example. That may stem from the fact the armed forces and national defense agencies deal with actionable intelligence that could be used against American citizens if it falls into the wrong hands. Based on NIST zero trust recommendations, the DoD initially urged 45 new and related capabilities to be integrated into networks handling sensitive information. Recent announcements point to the DoD upping the ante to 91 capabilities. Up to 20 of these capabilities are linked to the Continuous Diagnostics and Mitigation program operated under the purview of the Cybersecurity and Infrastructure Security Agency. These are what cybersecurity insiders are calling the “four pillars” of zero trust adoption by the Pentagon.
- Cultural adoption: The federal government plans to make zero trust education, awareness and training a mandatory part of employment. In an effort to create a robust cybersecurity culture, the Pentagon intends to enhance workforce knowledge about zero trust architecture, methodologies and pragmatic support.
- Cybersecurity Infrastructure: Legacy systems present potential cybersecurity gaps and vulnerabilities when organizations attempt to patch together zero trust architecture. The Pentagon is reportedly already working on ways to broadly and effectively implement zero trust architecture across newly minted and older systems.
- Technology Acceleration: Conventional wisdom includes the notion that advanced persistent threats will continue to develop technologies, techniques and workarounds to outflank zero trust defenses. The Pentagon is calling for an accelerated rollout and ongoing updates to stay ahead of foreign hackers.
Benefits of Integrating NIST Zero Trust Security Measures
“Our protection and detection methodologies absolutely need to change in order to defend against today’s adversaries. Because of this, zero trust is my top cybersecurity initiative. I absolutely believe zero trust will greatly improve our ability to defend our networks against sophisticated attacks,” DoD Deputy Chief Information Officer David McKeown reportedly said. “It is not just a program, or a new application, zero trust is an evolution of our entire security landscape. By embracing it, we not only protect our data, but we strengthen our defenses and preserve our way of life.”
Led by the DoD, the federal government strongly advocates for the adoption and ongoing upgrades to NIST zero trust cybersecurity measures. When implemented broadly and effectively, they can close cybersecurity gaps hackers routinely exploit. Perhaps more importantly, they rank among the best ways to detect, deter, limit and repel cyberattacks leveled by adversaries such as Iran, Russia and China, among others. These are zero trust benefits that government agencies and private-sector organizations gain by implementing security measures.
- Compliance: The Pentagon’s insistence on NIST zero trust architecture is consistent with its ongoing CMMC mandate. Adopting these principles helps organizations in the military industrial base achieve CMMC compliance. Companies that receive and transmit information with other agencies can also further their compliance and assure their lucrative federal contracts.
- Visibility: A byproduct of adopting zero trust, companies enjoy greater login and user visibility. Least privilege access profiles restrict digital locations. Should a foreign hacker attempt to stretch or circumvent the parameters of a given user profile, cybersecurity alerts may be triggered. That’s mainly because cybersecurity solutions such as AI and machine learning can issue alerts when cybercriminals attempt to exceed profile limitations.
At its core, the zero trust approach reduces an organization’s risk, and that provides wide-reaching benefits. Employing this strategy helps protect businesses from incurring fines, should a minimal data breach occur. Achieving informational protection compliance also demonstrates a business has gone above and beyond to protect the sensitive information of customers, clients and key stakeholders.
Challenges of Integrating NIST Zero Trust Architecture
It’s important for decision-makers considering a zero trust strategy to understand that integration often proves to be a complex process. There is no one-size-fits-all, zero trust approach. A thorough risk assessment and operational analysis will likely need to be performed to determine the best way to build a comprehensive cybersecurity defense. Failing to conduct due diligence can result in gaps and vulnerabilities that hackers will find and exploit.
Although the advanced cybersecurity strategy typically tasks industry leaders with enlisting the support of a managed IT firm with zero trust expertise, the results are well worth the investment. Perimeter approaches cannot adequately protect the expanding attack surface of companies that utilize cloud solutions and remote workforces.
Implement Zero Trust Cybersecurity with the Help of Red River
At Red River, we work with organizations and agencies to craft cybersecurity solutions that detect, deter and expel threat actors. If you are interested in taking your data security to the next level, contact us today. Let’s get the process started.