How Zero Trust Changes FICAM
With respect to the identity management pillar of FICAM, NSA recommends agencies prepare for zero trust by ensuring all users are registered and their information is accurate.
For the credential management pillar, the guidance advises agencies to enforce multifactor authentication and inventory all credentials for each user.
Under the access management pillar, agencies should inventory user entitlements and access policies to remove any that are outdated, according to the information sheet.
NSA further provides steps for achieving basic, intermediate and advanced zero-trust maturity under each pillar.
The last FICAM pillar addressed in the guidance is identity federation. Zero trust necessitates partner agreements for the use interoperable solutions when information sensitivity or maturity differences across agencies could create excessive risk.
Expanding and refining the FICAM roadmap through a zero-trust model “will provide an organization with tools and processes for resisting, detecting and responding to ever-increasing threats that exploit weaknesses or gaps in their ICAM programs,” according to the sheet.
EXPLORE: What agencies should know about establishing zero trust in a hybrid work environment.
Six Cyber Pitfalls for Security Professionals
Haney identifies six cybersecurity pitfalls that agencies’ security professionals must address to improve users’ perceptions of the new security tools being implemented, so they will use them rather than circumvent them.
Here’s how to avoid the pitfalls:
- Don’t assume users are clueless; they often just suffer from security fatigue.
- Avoid technical jargon in security communications; use plain language.
- Recognize that poor usability can unintentionally create insider threats.
- Avoid rigid security that complicates daily work and leads employees to look for risky workarounds.
- Seek compliance through positive reinforcement; negative actions, like locking user accounts, breeds resentment.
- Don’t neglect direct user feedback on effectiveness.
“There has been a lot of research into this issue, but the research is not getting into the hands of people who can do something about it,” Haney said in a statement. “Working at NIST, where we have a connection to all sorts of IT experts, I saw the possibility of bridging that gap.”