The National Institute of Standards and Technology plans to publish various volumes of its forthcoming Cybersecurity Practice Guide throughout 2022 and beyond.
A description of the practical steps needed to implement the cyber reference designs for zero-trust security, the guide will be the end result of NIST’s Implementing a Zero Trust Architecture Project.
NIST’s Cybersecurity Center of Excellence formed a Zero Trust Architecture Working Group in October, composed of 20 companies that are looking to build and document several builds, so it’s difficult to say when exactly the project will end, according to an agency spokesperson.
“I think what COVID did is it shined a light on, one, there are a lot of devices that weren’t secured that needed to be secured because people were working from home,” Tony D’Angelo, vice president of public sector at Lookout, told FedScoop. “And, two, some of the access that was previously had might have been unclassified email and things that were probably less sensitive, but the demand for accessing more sensitive data from phones and tablets is certainly increasing.”
Lookout, a San Francisco-based mobile threat defense company, is part of NIST’s working group and pushing for the Cybersecurity Practice Guide to encourage agencies to secure mobile endpoints, data and apps in the cloud, and data and apps on premise.
Mobile security only has about 30% to 35% market penetration, despite about 70% of federal data being accessed using mobile devices, so there’s a “mismatch” there D’Angelo said.
Lookout is interested in promoting virtual private network (VPN) replacement, continuous risk assessment and continuous conditional access as the practice guide is developed.
“VPN still does what it’s supposed to do, but it’s a snapshot in time of assessing risk on a particular device and user,” D’Angelo said. “The objective moving forward is to look at continuous risk assessment, so really drive zero-trust continuous conditional risk around policy enforcement and effectively have that adapt dynamically and continue to change depending on the risk level.”
That means it will be important for agencies to know the sensitivity level of particular data, so they can apply security policies based on that information.
Ideally the Cybersecurity Practice Guide will not only be a best practices document, but a policy engine for agencies to enforce zero trust, D’Angelo said.
“It will focus on different types of solutions but, overall, a general architecture and a blueprint for different agencies to follow,” he said.