Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Vulnerabilities
Zero Trust

NSA rolls out recommendations for maturing identity, credential, access management in zero trust

March 15, 2023
NSA rolls out recommendations for maturing identity, credential, access management in zero trust

The National Security Agency (NSA) published Tuesday a Cybersecurity Information Sheet (CSI) that helps system operators mature identity, credential, and access management (ICAM) capabilities to mitigate certain cyber threat techniques. The initiative further discusses how these capabilities are integrated into a comprehensive Zero Trust (ZT) framework while providing system owners and operators the ability to identify, resist, and respond to various cyber intrusion techniques.

The Zero Trust model limits access to only what is needed and assumes that a breach is inevitable or already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Adoption of a Zero Trust cybersecurity framework is part of the National Cybersecurity Strategy, and is also largely directed by the guidance provided by President Joe Biden in his Executive Order on Improving the Nation’s Cybersecurity (EO 14028), and National Security Memorandum 8 (NSM-8) for Federal Civilian Executive Branch (FCEB) agencies and National Security System (NSS) owners and operators.

The Zero Trust security model embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure to focus on protecting critical assets (data) in real-time within a dynamic threat environment. The data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.

NSA is assisting Department of Defense (DoD) customers in integrating the Zero Trust framework within NSS, DoD, and Defense Industrial Base (DIB) environments. Upcoming additional guidance will help organize, guide, and simplify incorporating Zero Trust principles and designs into enterprise networks. 

To achieve a mature Zero Trust framework, systems must integrate and harmonize the capabilities across seven pillars – user, device, data, application/workload, network/environment, visibility and analytics, and automation and orchestration. 

The move calls upon NSS owners and operators to take concrete steps to mature identity and access security controls and the operational practices related to establishing digital identities and authenticating and authorizing users to access critical resources. 

The administration is adopting these measures as cybersecurity incidents are on the rise due to immature capabilities in ICAM of national security, critical infrastructure, and DIB systems. 

“Malicious cyber actors increasingly exploit gaps and immature capabilities in the identity, credential, and access management of our nation’s most critical systems,” Kevin Bingham, critical government systems, zero trust lead at the NSA, said in a media statement. “Our report provides recommendations that will help system operators strengthen identity protections to limit the damage of future compromises.”

The CSI titled ‘Advancing Zero Trust Maturity throughout the User Pillar’ details increasingly mature capabilities in the user pillar, including recommendations and examples for achieving these maturity levels. The user (or identity) pillar highlights capabilities to establish the foundational authoritative identities of a system. Further, it describes the characteristics of authentication and authorization decisions. The user pillar maturity model builds on and matures the controls of the Federal Identity, Credential, and Access Management (FICAM) architecture.

FICAM establishes five core user service practice areas – Identity Management, Credential Management, Access Management, Federation, and Governance, according to the NSA CSI document. FICAM is the federal government’s approach to designing, planning, and executing common ICAM processes. The FICAM framework was established in 2009 to provide a common ICAM segment architecture for federal agencies to use in ICAM program and solution roadmap planning. 

The FICAM capabilities, expanded and refined by ZT principles, create a solid foundation for NSS owners and operators alike. They outline ways to take concrete steps to mature ZT security practices relating to identity management, access security controls, and operational practices related to establishing identities for users and strong mechanisms for authenticating and authorizing users’ access to critical resources. 

The user pillar expands and refines the capabilities associated with the FICAM framework to address the enhanced threat to identity, credentials, and access management. The CSI identifies these capabilities and aligns them to Zero Trust maturity levels for the user pillar. 

Identity Management covers technical systems, policies, and processes that create, define, govern, and synchronize the ownership, utilization, and safeguarding of identity information to associate digital identities with an individual or logical entity. Credential management includes technical systems, policies, and processes that establish and maintain the binding of an identity to a personal, physical, or logical entity, including establishing the need for a credential, enrolling an entity, establishing and issuing the credential, and maintaining the credential throughout its life cycle. 

Access Management includes management and control of the mechanisms used to grant or deny entities access to resources, including assurances that entities are properly validated, that entities are authorized to access the resources, that resources are protected from unauthorized creation, modification, or deletion, and that authorized entities are accountable for their activity. 

The federation covers the interoperability of ICAM with mission partners, though the CSI only discusses the general complexity of identity federation, according to the NSA CSI document. Governance includes continuous improvement of systems and processes to assess and reduce the risk associated with ICAM capabilities. The CSI addresses improvements for this category by defining maturity levels for each of the ICAM categories rather than discussing the maturity of identity governance in general. 

These capabilities provide a starting point for a user pillar maturity model. A generic assessment of current capabilities for NSS and employee access to the U.S. Government systems in these areas are included in the ZT preparation phase. These foundational capabilities are recommended for other high-value systems in preparation for their ZT migration. As additional capabilities are deployed, enterprises advance through the basic, intermediate, and advanced maturity phases and are more able to operate according to ZT principles.

Last November, the DoD published its zero trust strategy and roadmap that envisions a DoD information enterprise secured by a fully implemented, department-wide zero trust cybersecurity framework. The DoD zero trust cybersecurity framework will largely work towards reducing the attack surface, enabling risk management, and delivering effective data-sharing in partnership environments, apart from containing and remediating adversary activities.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape