October 01, 2021

WASHINGTON – Today, global tech trade association ITI offered additional recommendations to guide the U.S. government as it adopts of Zero Trust Architecture (ZTA) across federal agencies. ITI’s comments in response to the recent publication of the Cybersecurity and Infrastructure Security Agency's (CISA) Zero Trust Maturity Model and Cloud Security Technical Reference Architecture as required by Section 3 of Executive Order 14028 on Improving the Nation’s Cybersecurity.

“We appreciate the persistent effort from the Biden Administration to improve our nation’s cybersecurity in the face of relentless threats,” ITI wrote in its comments. “We agree with the overall objectives of Executive Order 14028 and commend the administration for embracing a coordinated and whole-of government approach to cybersecurity risk management. The requirements pursuant to Section 3 will advance a common security baseline across the federal government by linking the modernization of government IT to cybersecurity, specifically zero trust.”

To support agencies’ migration to a ZTA, ITI most recent recommendations include:

  • Align the targeted end-state to use cases rather than technology silos. For agencies to effectively adopt Zero Trust, it will be critical for them to understand the horizontal relationships across security segments. In its current form, the documents appear to perpetuate the concept of security silos, addressing challenges in context solely to areas of functional capability (e.g., identity, data, devices). Operational use cases can produce meaningful insights that bridge traditional scenarios and highlight policy, technology, and organizational gaps.

  • Align the documents to one another and to other federal guidance. CISA and OMB’s decision to publish the three documents concurrently accurately reflects the interlinkages and interdependencies among this important guidance. It is critical that CISA and OMB maintain their close collaboration. All changes to any of these documents should be discussed in the interagency and appropriately reflected in the remaining documents. To ensure the adoption of a coherent strategy throughout the federal government, we strongly encourage CISA work with OMB and other federal agencies to prevent the divergence of agencies’ approaches to zero trust.

  • Include guidance on migration to hybrid cloud environments. Agencies will not migrate all systems to the cloud immediately. The documents don’t address this reality. This lack of guidance does not align well with agencies’ fiscal realities, their need to prioritize resources, their risk posture of systems, or the potential cost of upgrading legacy systems. CISA should expand its current guidance to account for this reality.

  • Expand guidance on hybrid and BYOD work environments. Agencies have adopted policies and tools to enable hybrid work environments necessitated by COVID. OMB’s guidance should recognize this reality and provide recommendations for how ZTA can succeed in those situations. The Strategy should expand its guidance on how agencies can build a ZTA in work environments with hybrid or bring-your-own-device (BYOD) policies.

  • Address workforce concerns. Agencies do not have enough qualified people to effectively implement most of the guidance from the documents. Agencies should consider the “total cost of ownership” as they build out their cloud security architecture. Some solutions may be easy to adopt within one account or a specific region but may not scale well to multiple accounts or regions. CISA should provide guidance on how agencies should address these workforce concerns.

Read ITI’s full comment submission here. Last month, ITI submitted comments come in response to the Office of Management and Budget's (OMB) request for industry input on the Federal Zero Trust Strategy as part of the Executive Order 14028 on Improving the Nation’s Cybersecurity.