CISA Model Helps FDA, CFPB in Zero Trust Journey

Leaders from the Food and Drug Administration and Consumer Financial Protection Bureau (CFPB) are seeing benefits in using Cybersecurity and Infrastructure Security Agency (CISA)’s Zero Trust Maturity Model in their new zero trust implementation efforts amid growing needs to modernize cloud workspaces and protect data. 

“We’re one hack away from a headline,” FDA CISO Craig Taylor said at an event this week. The FDA is often a target of cyberattacks — Taylor numbered it to about 13 to 15 billion attempts a month.

Taylor said the agency used CISA’s framework to introduce a proactive cybersecurity strategy in its journey from becoming a network-centric agency to one that is more data-centric as part of its Cybersecurity Modernization Action Plan.

CFPB Director of Cybersecurity Operations Scott Braus said CISA’s framework helped introduce containerization in a cloud-based workspace and also independent testing and configuration to thwart and monitor threats. These capabilities were key to helping the agency identify a recent security vulnerability.

“We had one cloud-based application where we did have some data that was unintentionally in a publicly available repository,” Braus said at the event. “It turned out to be a small-scale event. But before we had specifics, we did not know how big of a scale [the event] was.” 

Although the White House’s 2021 executive order called for agencies to have some level of zero trust by this year, the process will be ongoing for agencies like FDA where “achieving zero trust is about the journey, not the destination,” Taylor said.

To measure its level of zero trust maturity, FDA uses a monthly alphabetic grade scorecard based on criteria defined in CISA’s model. Taylor gave the FDA’s current grade as a “B or C.”

Some of the long-term challenges leaders face in integrating zero trust is more on the business side. Taylor said FDA is working to “find the budget to support these unfunded mandates” while also aiming for optimum maturity.

Editor’s note: This story corrects a previous version that clarifies the number of FDA’s cyber attack attempts per month and the goal of data centricity as part of FDA’s cybersecurity modernization plan.