Zero Trust and CMMC: Resolving Friction to Accelerate Compliance
Leveraging a zero-trust strategy in the cloud can help defense contractors scope out technical debt, modernize IT infrastructure, and accelerate compliance timelines.
This article by Ryan Heidorn originally appeared in National Defense Magazine.
It’s hard to have a conversation about cybersecurity these days without hearing about zero trust, a cybersecurity design philosophy that, although it was conceptualized over a decade ago, has reemerged as contemporary wisdom among security practitioners in both government and industry.
Zero trust has risen to prominence in the post-COVID world in part because, as a security engineering paradigm, it addresses the reality that corporate resources have moved to the cloud and users access them from anywhere, whether that’s at the office, home, or Starbucks.
For defense contractors preparing for the Cybersecurity Maturity Model Certification (CMMC) – many of them facing an uphill battle after chronic underinvestment in IT and security – zero trust concepts may hold the key to fast-tracking the implementation of technical requirements for protecting Controlled Unclassified Information (CUI).
Leveraging a zero-trust strategy in the cloud can help contractors scope out technical debt, modernize IT infrastructure, and accelerate compliance timelines.
But even as federal agencies rush to adopt zero-trust architecture (ZTA), as directed by President Biden’s Executive Order on Improving the Nation’s Cybersecurity, industry faces a potential hurdle in following suit: our cybersecurity rules may already be out of step with contemporary best practices.
‘Trust is a Vulnerability That Can Be Exploited’
In contrast to the adage “trust but verify,” a core concept of the zero-trust model is to never trust, always verify.
John Kindervag, who coined the term zero trust in a 2010 paper, often states that “trust is a vulnerability that can be exploited.” Without zero trust, an adversary who gains access to a trusted account or device is free to move around a network unchallenged.
Zero trust moves cybersecurity defenses away from network-based security perimeters (characterized by firewalls, VPNs, and intrusion detection systems) to user identities, devices, and individual resources. Instead of broadly granting access within the protected boundary of a corporate network, zero trust seeks to verify (authenticate, authorize, encrypt) every access request. In this way, a user’s identity becomes the new security perimeter.
Trying to log in with the correct password but from an unusual location? Prompt for multi-factor authentication. Logging in from outside the U.S. and your device is failing compliance checks? Block the connection and alert an administrator.
Continuous, automated verification of identity can minimize the impact of a breach. In fact, a key design principle of ZTA is to assume the network has already been breached by an adversary.
This mindset, all too reasonable in today’s threat landscape, should prompt organizations to focus on security engineering concepts such as least privilege (users only have the minimum permissions needed, and only at the time they need them), least functionality (systems are configured to explicitly block unnecessary applications, ports, and protocols), and defense in depth (layering defenses so there is no single point of failure).
NIST Special Publication (SP) 800-207, “Zero Trust Architecture,” affirms these principles, stating that the complexity of modern IT operations “has outstripped legacy methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise.”
Improving the Nation’s Cybersecurity
Traditional perimeter-based security is now an unacceptable security posture for most modern organizations, including the federal government, its military, and supply chains.
President Biden’s recent executive order directs all federal agencies to develop a plan for implementing zero-trust architecture, and many agencies already had efforts underway.
In May 2021, the Defense Information Systems Agency (DISA) released the DoD Zero Trust Reference Architecture, a collaboration with the NSA and U.S. Cyber Command. In its revised strategic plan for FY22, DISA declares zero-trust architecture as the cornerstone of its strategic focus on cyber defense.
Air Force CIO Lauren Knausenberger has articulated a vision “for the future to be completely zero trust.” The Air Force is developing a maturity model to align its information systems with zero-trust principles.
And, in the wake of the SolarWinds attack, the Department of Homeland Security launched a Zero Trust Action Group to develop “reusable security architectures, policy guides…and reference implementations with a two-year plan to deploy zero trust departmentwide.”
The writing is on the wall (or rather, in Executive Order 14028) for federal agencies. To “keep pace with today’s dynamic and increasingly sophisticated cyber threat environment,” agencies must accelerate adoption of zero-trust architectures and secure cloud services.
Zero Trust Strategies for CMMC
In a February 2021 report titled Embracing a Zero Trust Security Model, the NSA “strongly recommends that a Zero Trust security model be considered for…Defense Industrial Base [DIB] critical networks and systems.”
NIST SP 800-207 notes that “greenfield” ZTA (building a zero-trust architecture from the ground up) is likely not an option for federal agencies. It may be, however, the best option for the hundreds of thousands of subcontractors, suppliers, and small businesses in the DIB now preparing for CMMC.
In his epic unraveling of the federal rulemaking processes and assumptions leading up to CMMC, “A Banquet of Consequences: the story of CUI, DFARS, and CMMC,” Jacob Horne, Managing Partner at DEFCERT, illustrates the gap between what the federal government assumed industry was doing to protect its networks versus the reality on the ground, where technical and organizational debt (deferred costs and efforts) has piled up within industry for decades – a fact that contractors’ self-attestation of compliance with DFARS 252.204-7012 did virtually nothing to abate.
“Organizational debt accumulates as it is never the top priority, until it’s suddenly the only priority,” Horne writes. Confronted with CMMC and its process maturity requirements, many contractors are being forced to come to terms with years of underinvestment in the people, processes, and technology needed to effectively manage cybersecurity.
Although he is quick to caution against reliance on technology – the majority of CMMC practices are non-technical in nature – Horne sees ZTA as an opportunity to scope out technical debt: “For organizations that have kicked the can down the road for years, ZTA is the decision to ‘abandon ship’ and tunnel through corporate networks as if they are equally untrustworthy.”
The Benefits of a Cloud-First Approach
Cloud-based information systems can be rapidly deployed and shift some of the burden of security and compliance to service providers. Amazon, Microsoft, and Google (all of whom offer FedRAMP authorized services – a key requirement for use of cloud services under DFARS 252.204-7012) collectively spent $97 billion in capital expenditures in 2020 alone, while the manufacturing industry, in contrast, lags well behind average in spending on IT as a percentage of revenue.
A cloud-first strategy seeks to reduce and control technical debt by adopting cloud services (SaaS, PaaS, IaaS) wherever possible. By leveraging cloud services as the underlying architecture for organizational systems, an organization can effectively reduce the scope of technical responsibilities that must be performed internally (e.g., maintenance, hardware refresh, physical security).
The application of a cloud-first strategy can result in reduced system complexity, reduced operational footprint, and can allow an organization to inherit certain security and compliance practices from the cloud service provider in a shared responsibility model.
“Cloud service providers have scale and assets that promote constant advances in security to stay abreast of agile, persistent adversaries,” says Robert Metzger, a government contracts attorney at Rogers Joseph O’Donnell and co-author of MITRE’s “Deliver Uncompromised” report.
Metzger says that adopting zero-trust architecture in the cloud may be crucial to reducing the exposure of traditional perimeter defenses and accommodating today’s remote workforce.
So, what’s the catch?
Resolving Perceived Conflicts Between ZTA and CMMC
The CMMC practice SC.3.180 requires organizations to “employ architectural designs, software development techniques, and systems engineering principles that promote effective information security.”
As the dominant contemporary model for security architecture, ZTA is an obvious choice for promoting effective information security. But NIST SP 800-207 identifies a perceived gap between federal cybersecurity frameworks and ZTA: “There is a misconception that ZTA is a single framework with a set of solutions that are incompatible with the existing view of cybersecurity…This gap is based on a misconception of ZTA and how it has evolved from previous cybersecurity paradigms.”
The CMMC model, like the NIST Special Publications it builds upon, contemplates a traditional, on-premises environment, where blinking boxes protect the network from adversaries on the outside. In that mindset, requirements like AC.2.015 “Route remote access via managed access control points” set up organizations implementing ZTA for a tricky justification. What exactly, in today’s cloud-first world, is remote access?
In the CMMC clarification to AC.2.013, remote access is defined as “access to organizational systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet).” If, as in a zero-trust architecture, all networks are treated as inherently untrusted, are the underlying requirements satisfied?
Metzger argues that “while NIST SP 800-171 and CMMC are written around different principles and expecting different methods than Zero Trust, adoption of Zero Trust technologies and techniques will undoubtedly contribute to compliance, with the added benefit of outcomes superior to the minimums that might be acceptable.”
Consider CMMC practice PE.3.136, which requires organizations to “Enforce safeguarding measures for CUI at alternate work sites,” and clarifies that organizations should “define and implement safeguards to account for protection of information beyond the enterprise perimeter.” In a zero-trust architecture, an alternate work site is no more or less trusted than a corporate network. With identity as the perimeter, zero-trust mechanisms like telemetry-based access control and encryption provide safeguarding measures for CUI, regardless of where the user is logging in from.
Zero trust concepts and supporting technologies are not so far off from a literal, conservative reading of CMMC practice requirements, but it is apparent that ZTA is not the architecture that the CMMC model had in mind.
Which begs the question, how can federal rulemaking and any attendant certification processes ever keep pace with the fast-moving cybersecurity domain?
Metzger suggests that a focus on security outcomes, rather than prescriptive methods, could address the problem. “Experience in recent years shows too painfully that the techniques, tactics, and practices of adversaries outpace entirely the rate of rulemaking or the pace of certification regimes.
“Indeed, an excess of rules and surplus of process can increase opportunities for adversaries to find, study, and exploit the ‘seams.’ That’s why it is important to think more about security outcomes than to rely upon rule-based regimes – especially those reliant upon perimeter security of on-premises networks.”
It is important to remember, as the DoD Zero Trust Reference Architecture points out, that “no single device or capability produces a Zero Trust framework.” Similarly, CMMC is not a one-off project and cannot be reduced to technical implementations. We should be careful not to look to ZTA as a panacea for cyber and supply chain risk.
But, as the federal government pushes to adopt zero-trust architectures and secure cloud services, the DIB should look to cloud-native ZTA as an effective strategy for meeting compliance requirements, protecting sensitive data, and modernizing IT infrastructure in one fell swoop.