The Veterans Cybersecurity Group (VCSG), an organization that recruits, trains and mentors active duty service members to transition to the federal cybersecurity workforce, has embarked on an initiative to establish a body of standards and testing for zero trust architecture.
U.S. military veterans, along with women and minorities, are among those constituencies largely under-represented in efforts to diversity the cyber workforce and close the cybersecurity skills gap to help fill some four million open jobs.
What MSSPs, MSPs Need to Know
While plumbing a variety of sources for cybersecurity expertise is not new, VCSG’s approach has a twist to meeting those needs.
Tying the development of zero trust standards and skills specifically to veterans and ultimately to stakeholders, such as the federal government, vendors, non-profits and other entities, is a unique triangulation as compared to other recruitment and training programs.
VCSG’s impetus for the framework is President Biden’s federal mandate for government agencies to develop plans for implementing zero trust architecture by September 30, 2024, or the end of the fiscal year. Biden issued an executive order in May 2021 instructing federal agencies to modernize their cybersecurity standards to include securing cloud services, streamlining access to data to minimize risk and other upgrades.
A “major obstacle” to achieving those objectives is the lack of zero trust standards and establishing testing methodology, according to Leighton Johnson VCSG chief technology officer.
“Currently, there are no Zero Trust standards to test and validate complex ZTA (zero trust architecture) solutions,” he said. “VCSG aims to establish testing criteria immediately through an iterative SecDevOps approach. To this end, VCSG is establishing a Zero Trust Proving Ground (ZTPG) to test and evaluate ZTA implementations."
While National Institute for Standards and Technology (NIST) and Cybersecurity & Infrastructure Security Agency (CISA) have “defined principles,” Johnson believes is difficult to audit a set of principles.
“The IEEE (Institute of Electrical and Electronics Engineers) ZTWG (IEEE Zero Trust Working Group) is tasked with the years-long process of developing an ISO (International Organization for Standardization) standard,” he said.
Paul Gozaloff, VCSG managing consultant, said that current and future zero trust standards will result from a collaboration with the IEEE Zero Trust Working Group.
Cyber Range Triggers Training and Testing
To round out the ZTA standards project, VCSG will host the ZTPG on an established Cyber Range used by government agencies as a virtual cybersecurity training and testing environment. The plan is to allow multiple "communities of interest" to implement cyberattack and exploitation scenarios.
Vulnerability analysis and penetration testing within the ZTPG will help to develop a standardized ZTA testing framework. If all goes to plan, this framework will enable federal agencies to evaluate and integrate third party ZTA solutions into their cybersecurity architectures.
"Our goal is to be a leader in the implementation of these standards,” Gozaloff said.
He noted that VCSG’s current goal concerns veterans transitioning to cybersecurity work in the federal government sector. Meanwhile, if the project turns to the commercial market, it could involve managed security service providers (MSSPs).
Potential project stakeholders include federal agencies seeking information for:
- Future requests for proposals (RFPs)
- Cybersecurity vendors wanting their ZTA products and services demonstrated and tested
- Standards bodies
- Cybersecurity nonprofits providing training and awareness of zero trust best practices
