Zero Trust Security 2.0 and 800-207

While agencies are trying to sort through all the guidance, memorandum (with timelines causing new complications), and best practices information, the need to speed up the move to Zero Trust (ZT) security continues to heighten. The cyber threats around networks, supply chains, data security, and more keep growing. What we are asking of agencies to solve is no small task. Agencies for years have been investing in what is now legacy Castle and Moat security. Each with its owner and fiefdom inside their agency. Breaking down those walls is critical to national security. In this blog, I will briefly discuss some differences between two more publicized government ZT frameworks agencies are working with.

The Cybersecurity and Infrastructure Security Agency (CISA) recently released its updated ZT Guidance. Referred to as the ZT guidance 2.0, the updates cover expansion in scope for more devices, networks, and architectures, including cloud environments. ZT guidance reflects the increasing complexity of IT environments and the need to secure them against emerging threats. Version 2.0 provides more specific guidance on applying ZT principles to cloud environments, including recommendations on securing cloud-based applications and data. The updated guidance also covers emerging technologies like the Internet of Things (IoT) and industrial control systems (ICS).

The National Institute of Standards and Technologies (NIST) SP 800-207 focuses on the implementation of ZT within an enterprise network (note: updates are coming that will expand on best practices in multiple environments), while the CISA ZT guidance 2.0 covers a broader range of devices, networks, and architectures, including cloud environments. This difference means the CISA guidance is better suited to organizations with more complex IT environments extending beyond the enterprise network. NIST SP 800-207 provides more specific guidance on implementing ZT within a network, while CISA 2.0 provides more general guidance on applying ZT principles across a broader range of devices and environments.

• Technical detail: NIST SP 800-207 provides more detailed guidance on the technical aspects of implementing ZT. For example, it recommends using micro-segmentation to limit lateral movement within a network and offers clear guidance on implementing least privilege access. The CISA guidance provides more high-level guidance on the principles of ZT and how to apply them to different types of environments. For example, CISA 2.0 offers more guidance on securing cloud-based applications and data, while NIST SP 800-207 does not explicitly address cloud environments.

• Risk management: Both frameworks recommend a risk-based approach to implementing ZT, first focusing on protecting the most critical assets. However, NIST SP 800-207 emphasizes the use of metrics and measurement to assess the effectiveness of ZT controls. It recommends that organizations develop metrics to measure the effectiveness of ZT controls and use them to improve their implementation continuously.

• Identity and access management: Both frameworks strongly emphasize identity and access management and recommend using multifactor authentication and identity-based policies to control resource access. NIST SP 800-207 provides more specific guidance on implementing identity and access management controls, including identity proofing and federated identity management. The CISA guidance also emphasizes the importance of identity and access management but provides more high-level guidance on using identity-based policies to control access.

• Continuous monitoring: Both frameworks recommend continuously monitoring devices and networks to detect anomalies and potential threats. NIST SP 800-207 provides more specific guidance on monitoring tools and techniques, such as network intrusion detection systems (IDS) and security information and event management (SIEM) systems. The CISA guidance also recommends continuous monitoring but provides more high-level guidance on monitoring devices and networks for signs of malicious activity.

• Integration with other frameworks: The updated guidance better aligns with other cybersecurity frameworks, such as NIST SP 800-53 and the Cybersecurity Framework (CSF). In addition, this update helps organizations integrate ZT principles into their overall cybersecurity strategy. For example, the guidance recommends using NIST's risk management framework to identify and prioritize assets for protection under a ZT model.

In conclusion, while there are some differences between NIST SP 800-207 and the CISA ZT guidance 2.0, both frameworks provide valuable guidance on implementing a ZT security model. Organizations should carefully evaluate their IT environment and determine which framework best suits their needs and may find that a combination of the two provides the most comprehensive guidance.