The U.S. Department of Defense’s new document, Zero Trust Overlays, provides the most up-to-date guidance for applying zero trust concepts in DoD organizations. The document builds upon prior publications such as the DoD’s Zero Trust Reference Architecture and Zero Trust Roadmap as well as NIST’s Risk Management Framework and SP 800-53 security controls. And like these source documents, Zero Trust Overlays consistently emphasizes the importance of firmware and supply chain security in the context of Zero Trust. 

Applying the Tenets of Zero Trust to Devices

Zero Trust Overlays organizes its approach into 7 key “pillars,” which address key areas of focus such as Users, Devices, Applications, Data, and Networks. And in this context a device refers to:

…any asset (including its hardware, software, firmware, etc.) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, IoT devices, networking equipment, and more.

This is important because it not only calls out that Zero Trust applies to all types of devices, but it also highlights the components that devices are made of. A device isn’t just a single checkbox entity—it is a constellation of various hardware, firmware, and software components that will need to be evaluated in a Zero Trust context. 

But what does that entail in an actual security practice? Let’s take a look at how a supply chain security platform can address the following five key tenets of zero trust as defined in Zero Trust Overlays:  

Firmware and Supply Chain Controls

While the tenets provide the high-level direction, the details are defined by specific NIST’s SP 800-53 security controls. Given the importance of supply chain and firmware security in SP 800-53, it should be no surprise that these topics are prominently featured in Zero Trust Overlays as well. In fact each term is referenced dozens of times across various controls and Zero Trust pillars. 

Key security controls include: 

Configuration Management (CM)

CM-2 Baseline Configuration

• Zero Trust Pillars: Device, Application and Workload
• Requirements: Maintain a current baseline configuration under configuration control [CM-2], using automated mechanisms

CM-6 Configuration Settings

• Zero Trust Pillars: Device and Application and Workload 
• Requirements: Manage configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements. Monitor and control changes to the configuration settings [CM-6], using automated tools

CM-14: Signed Components

• Zero Trust Pillar: Device
• Requirement: Prevent the installation of selected software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization

System and Services Acquisition (SA)

SA-10(1) Software and Firmware Integrity Verification

• Zero Trust Pillar: Application and Workload
• Requirement: Enable integrity verification of software and firmware components to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms

Risk Assessment (RA)

RA-3(1) Supply Chain Risk Assessment

• Zero Trust Pillar: Application and Workload
• Requirement: Implement or integrate with DoD’s supply chain risk management program and include managing risk related to supplier sourcing, approved repository usage, BOM, supply chain risk management, and industry standard vulnerability management.

RA-5 Vulnerability Monitoring and Scanning

• Zero Trust Pillars: Enabler, User, Device, Application and Workload
• Requirement: Continuously monitor and scan for vulnerabilities [RA-5] in the system and hosted applications, employ vulnerability monitoring tools and techniques that facilitate interoperability among tools, and automate parts of the vulnerability management process. Identifying vulnerabilities will be an important input when making access decisions.

System and Information Integrity Media Protection (SI) 

SI-2(5) Automatic Software and Firmware Updates 

• Zero Trust Pillars: Device, Application and Workload
• Requirement: Employ automated patch management tools to facilitate flaw remediation and help to ensure the timeliness and completeness of system patching operations [SI-2(4)] and automatically install security-relevant software and firmware updates to designated system components

SI-4(17): Integrated Situational Awareness

• Pillar: Visibility and Analytics
• Requirement: Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness 

SI-7 Software, Firmware, and Information Integrity

• Zero Trust Pillars: Device, Automation and Orchestration
• Requirements: Employ integrity verification tools to detect unauthorized changes to software, firmware, and information, and take appropriate actions upon detection.

Incorporate the detection of unauthorized changes into the organizational incident response capability to help ensure detected events are tracked, monitored, corrected, and available for historical purposes.

Supply Chain Risk Management (SR)

SR-3 Supply Chain Controls and Processes

• Zero Trust Pillar: Application and Workload
• Requirement: Manage Supply Chain Risks. Manage supply chain risks [PM-30] consistently across DoD with considerations for security (including zero trust principles) and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services.

SR-4 Supply Chain Integrity 

• Zero Trust Pillar: Application and Workload
• Requirement: Cybersecurity supply chain risk management provides processes and procedures to validate the integrity of system components installed in DoD’s systems and networks. Zero trust depends on the integrity of system and network components and its information.

Next Steps

Zero Trust Overlays is the latest in what has been a very consistent drumbeat of guidance from U.S. agencies and the DoD specifically. Zero Trust requires organizations to continually assess the most fundamental aspects of their technology. And this must include the most fundamental components, code, and supply chains that underpin the technology we rely on. 

The Eclypsium supply chain security platform has specialized capabilities that allow customers to audit assets and find problems that are not visible to traditional security tools. Most importantly, Eclypsium performs these tasks in a highly automated fashion without the need for staff to develop new specialized skills. This ensures that organizations can not only meet their Zero Trust requirements, but have powerful visibility into virtually any class of asset or technology. If you would like to learn more, please contact the Eclypsium team at [email protected].  

Related resources:

• Blog – Supply Chain Security: What You Need To Know
• Blog – NSA Guidance Calls Out What Your Zero Trust Strategy Is Probably Missing
• White paper – Ultimate Guide to Supply Chain Security

The post What You Need to Know to Align With the DoD’s New Zero Trust Overlays appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

*** This is a Security Bloggers Network syndicated blog from Eclypsium | Supply Chain Security for the Modern Enterprise authored by Ariella Robison. Read the original post at: https://eclypsium.com/blog/what-you-need-to-know-to-align-with-the-dods-new-zero-trust-overlays/