The National Security Agency (NSA) released the “Advancing Zero Trust Maturity throughout the User Pillar” Cybersecurity Information Sheet (CSI) today to help system operators’ mature identity, credential, and access management (ICAM) capabilities to effectively mitigate certain cyber threat techniques.
Cybersecurity incidents are on the rise due to immature capabilities in identity, credential, and access management (ICAM) of national security, critical infrastructure, and Defense Industrial Base (DIB) systems. The Zero Trust model limits access to only what is needed and assumes that a breach is inevitable or already occurred. Adoption of a Zero Trust cybersecurity framework is part of the National Cybersecurity Strategy and is directed by the President’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) and National Security Memorandum 8 (NSM-8), for Federal Civilian Executive Branch (FCEB) agencies and National Security System (NSS) owners and operators.
NSA is assisting DoD customers in integrating the Zero Trust framework within NSS, Department of Defense (DoD), and DIB environments. Upcoming additional guidance will help organize, guide, and simplify incorporating Zero Trust principles and designs into enterprise networks.
To achieve a mature Zero Trust framework, systems must integrate and harmonize the capabilities from the following seven pillars: user, device, data, application/workload, network/environment, visibility and analytics, and automation and orchestration. The CSI expands on the “Embracing a Zero Trust Security Model” CSI published in 2021, by defining capability and maturity levels for the user pillar.
“Malicious cyber actors increasingly exploit gaps and immature capabilities in the identity, credential, and access management of our nation’s most critical systems,” said Kevin Bingham, Critical Government Systems, Zero Trust Lead. “Our report provides recommendations that will help system operators strengthen identity protections to limit the damage of future compromises.”
NSA strongly recommends NSS owners and operators build up ICAM and operational practices of their enterprise, working through the outlined capabilities toward the advanced maturity level.
Visit our full library for more cybersecurity information and technical guidance.
