CISA could get $856M funding, pledges to help US agencies go zero trust
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) could receive $856 million from the $3.5 trillion reconciliation bill. Text released from the House Homeland Security Committee’s mark-up of the legislative language which is due for review today, shows that at one end of the scale, $25 million would go to help develop a national multi-factor authentication (MFA) campaign, reports Meritalk.
At the other end, $400 million would be earmarked for the CISA to implement President Biden’s cyber executive order, $100 million for a cybersecurity education and training program and $210 million for general operations, around ten percent of CISA’s annual operating budget and the additional operations funding would last until the end of 2031.
Another $50 million would go to establishing a Multi-State Information Sharing and Analysis Center and $20 million to expand projects with international partners to protect critical infrastructure, according to Meritalk.
President Biden recently urged American companies to adopt MFA to protect themselves from Russian cyberattacks. A survey for Yubico found almost three quarters of responding businesses plan to increase spending on MFA, that nearly half already use biometrics for privileged administrators and staff and that user experience was the main obstacle to MFA adoption.
CISA to go beyond MFA to provide zero trust support to agencies
However, MFA is already seen as an entry-point for protection. The CISA’s draft “Zero Trust Maturity Model” was publicly released last week after being shared with agencies in June after Biden’s cybersecurity executive which tasks agencies with developing zero trust strategies, reports the Federal News Network. The Office of Management and Budget is asking agencies to reach basic zero trust maturity level by then end of fiscal 2024.
CISA is seeking feedback until the end of September. Its model outlines progression from traditional through advanced to optimal protections across five pillars including identity and data. For identity, traditional maturity includes passwords and multifactor authentication. Optimal would be continuous validation and real time machine learning analysis.
A recent cyberattack lead to data theft at the United Nations as a user account had not enabled two-factor authentication (2FA) and was using just a username and password, reports Threat Post. The attack took place in April 2021 and the bad actor used stolen credentials to gain access to the UN’s proprietary project management software Umoja, maintaining access for four or five months and stealing data which could enable further attacks.
A survey from Thales suggests this state of affairs is all too common, with nearly half of IT professional surveyed expressing doubt that their security systems effectively control access for their hybrid workforces.
VPNs are the most commonly used security tool for remote workers, according to the 2021 Thales Access Management Index, jointly conducted with 451 Research, despite security risks and also challenges with scaling VPNs. More than a third of respondents (38 percent) plan to adopt MFA, but less than a third have created a formal strategy for, or actively embraced zero trust (30 percent).
ForgeRock launches Autonomous Identity AI-based zero trust and role-based access control
Digital identity specialist ForgeRock has launched the latest version of ForgeRock Autonomous Identity which it believes will make it easier for enterprises to achieve zero trust. The version should help heighten security by avoiding excessive access permissions and eliminating orphaned user accounts – prime targets for attacks.
The new Autonomous Identity system “leverages artificial intelligence (AI) and machine learning to reduce enterprise risk by discovering role-based access patterns across the entire organization and recommending optimized role structures” according to ForgeRock.
“With this new release of Autonomous Identity, we’re introducing new role management capabilities that tackle tedious, manual access and governance processes using AI and ML to more quickly identify and eliminate risky access across the entire enterprise,” said Peter Barker, chief product officer at ForgeRock.
“These new features provide an even more powerful way to give companies control of their data and also organize that data with optimized roles to more efficiently manage and govern access.”