CISA Model Helps FDA, CFPB in Zero Trust Journey
Agency leaders say that the Zero Trust Maturity Model has been valuable to learning implementation lessons.
Leaders from the Food and Drug Administration and Consumer Financial Protection Bureau (CFPB) are seeing benefits in using Cybersecurity and Infrastructure Security Agency (CISA)’s Zero Trust Maturity Model in their new zero trust implementation efforts amid growing needs to modernize cloud workspaces and protect data.
“We’re one hack away from a headline,” FDA CISO Craig Taylor said at an event this week. The FDA is often a target of cyberattacks — Taylor numbered it to about 13 to 15 billion attempts a month.
Taylor said the agency used CISA’s framework to introduce a proactive cybersecurity strategy in its journey from becoming a network-centric agency to one that is more data-centric as part of its Cybersecurity Modernization Action Plan.
CFPB Director of Cybersecurity Operations Scott Braus said CISA’s framework helped introduce containerization in a cloud-based workspace and also independent testing and configuration to thwart and monitor threats. These capabilities were key to helping the agency identify a recent security vulnerability.
“We had one cloud-based application where we did have some data that was unintentionally in a publicly available repository,” Braus said at the event. “It turned out to be a small-scale event. But before we had specifics, we did not know how big of a scale [the event] was.”
Although the White House’s 2021 executive order called for agencies to have some level of zero trust by this year, the process will be ongoing for agencies like FDA where “achieving zero trust is about the journey, not the destination,” Taylor said.
To measure its level of zero trust maturity, FDA uses a monthly alphabetic grade scorecard based on criteria defined in CISA’s model. Taylor gave the FDA’s current grade as a “B or C.”
Some of the long-term challenges leaders face in integrating zero trust is more on the business side. Taylor said FDA is working to “find the budget to support these unfunded mandates” while also aiming for optimum maturity.
Editor’s note: This story corrects a previous version that clarifies the number of FDA’s cyber attack attempts per month and the goal of data centricity as part of FDA’s cybersecurity modernization plan.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DOD Has a New Cyber Resiliency Assessment Program
Defense officials tout the continuous assessment feature and scalability of the new program amid increased cyber threats.
5m read -
Cyber Resilience and Recovery Amid Evolving Cyber Threats
Data durability is a key aspect of NIST’s cybersecurity framework for public and private organizations.
21m listen -
How TMF is Helping Agencies Accelerate Tech Modernization
The program launched a new AI pilot to expedite TMF applications as agency leaders urge more to consider applying for funds.
4m read -
Energy Researchers Aim For Holistic Approach to AI Issues
A new center at the Oak Ridge National Laboratory is looking at under-researched areas of AI to better understand how to secure it.
2m read