CISA Model Helps FDA, CFPB in Zero Trust Journey
Agency leaders say that the Zero Trust Maturity Model has been valuable to learning implementation lessons.
Leaders from the Food and Drug Administration and Consumer Financial Protection Bureau (CFPB) are seeing benefits in using Cybersecurity and Infrastructure Security Agency (CISA)’s Zero Trust Maturity Model in their new zero trust implementation efforts amid growing needs to modernize cloud workspaces and protect data.
“We’re one hack away from a headline,” FDA CISO Craig Taylor said at an event this week. The FDA is often a target of cyberattacks — Taylor numbered it to about 13 to 15 billion attempts a month.
Taylor said the agency used CISA’s framework to introduce a proactive cybersecurity strategy in its journey from becoming a network-centric agency to one that is more data-centric as part of its Cybersecurity Modernization Action Plan.
CFPB Director of Cybersecurity Operations Scott Braus said CISA’s framework helped introduce containerization in a cloud-based workspace and also independent testing and configuration to thwart and monitor threats. These capabilities were key to helping the agency identify a recent security vulnerability.
“We had one cloud-based application where we did have some data that was unintentionally in a publicly available repository,” Braus said at the event. “It turned out to be a small-scale event. But before we had specifics, we did not know how big of a scale [the event] was.”
Although the White House’s 2021 executive order called for agencies to have some level of zero trust by this year, the process will be ongoing for agencies like FDA where “achieving zero trust is about the journey, not the destination,” Taylor said.
To measure its level of zero trust maturity, FDA uses a monthly alphabetic grade scorecard based on criteria defined in CISA’s model. Taylor gave the FDA’s current grade as a “B or C.”
Some of the long-term challenges leaders face in integrating zero trust is more on the business side. Taylor said FDA is working to “find the budget to support these unfunded mandates” while also aiming for optimum maturity.
Editor’s note: This story corrects a previous version that clarifies the number of FDA’s cyber attack attempts per month and the goal of data centricity as part of FDA’s cybersecurity modernization plan.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
National Cyber Strategy Enables FBI to Disrupt Cybercriminals
The White House plan helped amplify and clarify the Bureau's role in law enforcement efforts, FBI Cyber DAD Cynthia Kaiser says.
13m listen -
How FBI Takes Down Cybercrime Superstores
Operation Cookie Monster was a success because of partnerships, FBI officials say.
13m listen -
State Department Touts Digital Diplomacy in New Tech Strategy
The new plan outlines ‘digital solidarity’ to counter threats in cyberspace, including malicious artificial intelligence.
8m read -
White House Might Remove Degrees From Federal Cyber, IT Jobs
White House and federal leaders are moving toward skills-based hiring practices to fill critical roles in IT and cybersecurity.
5m read