Agencies face \u2018inflection point\u2019 ahead of looming zero-trust deadline, CISA official says | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/zero-trust-implementation-plan-cisa-federal-agencies-deadline\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Agencies face \u2018inflection point\u2019 ahead of looming zero-trust deadline, CISA official says\"> <meta property=\"og:description\" content=\"Shelly Hartsook said she\u2019s seen promising data on implementation of security protocols ahead of next week\u2019s due date for agencies to submit updated plans.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/zero-trust-implementation-plan-cisa-federal-agencies-deadline\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-30T20:57:54+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-30T20:57:55+00:00\"> <meta property=\"og:image\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2024\/10\/GbJqrDmWEAAcot9.jpeg\"> <meta property=\"og:image:width\" content=\"600\"> <meta property=\"og:image:height\" content=\"900\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1729616464g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1728928671g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82369\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82369\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fzero-trust-implementation-plan-cisa-federal-agencies-deadline%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fzero-trust-implementation-plan-cisa-federal-agencies-deadline%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82369 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/zero-trust-implementation-plan-cisa-federal-agencies-deadline\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.433172302738\">\n<div class=\"single-article__header-content\" readability=\"34.013245033113\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> Shelly Hartsook said she\u2019s seen promising data on implementation of security protocols ahead of next week\u2019s due date for agencies to submit updated plans. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82369\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"600\" height=\"453\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says.jpg?resize=600%2C453&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says-2.jpg 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says-2.jpg?resize=300,227 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says-2.jpg?resize=223,168 223w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says-2.jpg?resize=446,337 446w\" sizes=\"(max-width: 600px) 100vw, 600px\"><figcaption> Shelly Hartsook, acting associate director of CISA\u2019s Cybersecurity Division, speaks during CyberTalks in Washington, D.C., on Oct. 30, 2024. (Scoop News Group photo) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"51.95087076077\"><body readability=\"105.90852904821\"><\/p>\n<p>As federal agencies race to hit a White House deadline to submit updated zero-trust implementation plans next week, a top Cybersecurity and Infrastructure Security Agency official said she\u2019s seen promising data leading up to that \u201cinflection point.\u201d<\/p>\n<p>Speaking Wednesday at CyberScoop\u2019s CyberTalks event in Washington, D.C., Shelly Hartsook, acting associate director of CISA\u2019s Cybersecurity Division, said more details on agencies\u2019 progress with zero-trust implementation would be available after they submit updated plans by Nov. 7 with the Office of the National Cyber Director and the Office of Management and Budget. But CISA has seen encouraging data in the aftermath of <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2022\/01\/M-22-09.pdf\">OMB\u2019s 2022 zero-trust memorandum<\/a> and stands ready to help agencies with additional implementation tasks.<\/p>\n<p>\u201cIn this inflection point, as we\u2019re transitioning from that initial policy rollout into sustained implementation, CISA is also taking a more central role to this work,\u201d Hartsook said. \u201cFirst and foremost, we\u2019ve been asked by the White House to really lean in on reviewing those implementation plans, being able to report out where we are, look at agencies and be able to meet them across their journey, and really taking a close look at gaps in CISA\u2019s services so that we can offer more to agencies and be more of a force multiplier.\u201d<\/p>\n<p>The updated plans due next week are expected to detail implementation on \u201call information systems\u201d in use by agencies, <a href=\"https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/07\/FY26-Cybersecurity-Priorities-Memo_Signed.pdf\">per OMB\u2019s July memo<\/a>, while also documenting current and target maturity levels in <a href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2023-04\/zero_trust_maturity_model_v2_508.pdf\">all five of CISA\u2019s zero-trust pillars<\/a> for \u201chigh-value assets and high-impact systems.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Additional details will be provided to agencies \u201cin the next day,\u201d according to Mike Duffy, the acting federal chief information security officer. Duffy said OMB, the Federal CISO Council and the Federal Chief Data Officers Council are set to release a federal zero-trust data security guide that walks through some of the next steps agencies should take.<\/p>\n<p>\u201cIt\u2019s an important step forward for both councils, working together from the data side and the security side, tackling something that is critically important for artificial intelligence and vital for zero-trust maturation, which is, how do we identify and secure data?\u201d Duffy said. <\/p>\n<p>\u201cIt is one of the pillars in the zero-trust maturity model that has always been a challenge for large organizations,\u201d he continued. \u201cIt is something that we as a government now have a way to wrap our arms around it through this guide. This was forecasted in 2022 as we thought through that policy for zero trust, that this guide would be important at this particular moment. And we\u2019re excited to have that.\u201d<\/p>\n<p>At least some of that excitement can be attributed to data collected since OMB\u2019s initial memo. Hartsook said between the fourth quarter of fiscal year 2021 and the fourth quarter of last year, agency implementation of multifactor authentication jumped from 53% to 80%, while phishing-resistant MFA increased from 46% to 71%.<\/p>\n<p>\u201cThose numbers are even more impressive if you think about the fact that we actually redefined the way the government was looking at MFA,\u201d Hartsook said. \u201cFor many, many years, it was focused on the individual, whether or not they had a pin credential, and whether or not they were using that credential to log onto the network. And we flipped the script on that and really started looking at the specific systems and applications and whether or not we were putting our strongest protections at our most important assets.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Additionally, Hartsook said there are 99 agencies that have implemented an appropriate endpoint detection and response tool, and of those, 78 exceeded a threshold of 90% or higher coverage across endpoints. <\/p>\n<p>As those positive data points have trickled in, Hartsook said CISA has leaned more into training efforts, conducting 10 workshops for cyber staffers that were \u201cconsistently getting 600 participants or more,\u201d in addition to opening up an \u201cextensive public comment period\u201d for the agency\u2019s zero-trust maturity model.<\/p>\n<p>Going forward, Hartsook said CISA is partnering with the Cloud Security Alliance on additional training programs, and is in the process of developing more \u201ctargeted, practical implementation guidance,\u201d focused in part on micro-segmentation and the application of zero-trust operational technology. <\/p>\n<p>\u201cEvery step, every action that we take towards zero trust is a step towards bolstering our national security,\u201d she said. \u201cWe must continue to move towards a model that, even if adversaries are able to get inside of our environments, which increasingly they are, that we can find them faster, that we can keep them from moving around, that we can stop them from establishing persistence and achieving their aim.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.0583333333333\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/zero-trust-implementation-plan-cisa-federal-agencies-deadline\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Agencies face \u2018inflection point\u2019 ahead of looming zero-trust deadline, CISA<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78,452,2981,1396,900],"tags":[86,454,2982,1397,907],"class_list":["post-6022","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-cybersecurity-and-infrastructure-security-agency-cisa","category-cybertalks-2024","category-multi-factor-authentication-mfa","category-zero-trust","tag-cybersecurity","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-cybertalks-2024","tag-multi-factor-authentication-mfa","tag-zero-trust"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybertalks-2024\/\" rel=\"category tag\">CyberTalks 2024<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/multi-factor-authentication-mfa\/\" rel=\"category tag\">multi-factor authentication (MFA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/zero-trust\/\" rel=\"category tag\">Zero Trust<\/a>","tag_info":"Zero Trust","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6022"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6022\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6022,"date":"2024-10-30T15:57:54","date_gmt":"2024-10-30T20:57:54","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82369"},"modified":"2024-10-30T15:57:54","modified_gmt":"2024-10-30T20:57:54","slug":"agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/30\/agencies-face-inflection-point-ahead-of-looming-zero-trust-deadline-cisa-official-says\/","title":{"rendered":"Agencies face \u2018inflection point\u2019 ahead of looming zero-trust deadline, CISA official says"},"content":{"rendered":"