Hasten CMMC Compliance Through Zero-Trust.

• Author: Heidorn, Ryan
• Position: Viewpoint

* It's hard to have a conversation about cybersecurity these days without hearing about "zero trust," a cybersecurity design philosophy that, although conceptualized over a decade ago, has reemerged as contemporary wisdom among security practitioners in both government and industry.

Zero trust has risen to prominence in the post-COVID world in part because, as a security engineering paradigm, it addresses the reality that corporate resources have moved to the cloud and users access them from anywhere, whether that's at the office, home, or Starbucks.

For defense contractors preparing for the Cybersecurity Maturity Model Certification (CMMC)--many of them facing an uphill battle after chronic underinvestment in IT and security--zero-trust concepts may hold the key to fast-tracking the implementation of technical requirements for protecting controlled unclassified information (CUI].

Leveraging a zero-trust strategy in the cloud can help contractors scope out technical debt, modernize IT infrastructure and accelerate compliance timelines.

But even as federal agencies rush to adopt a zero-trust architecture, as directed by President Joe Biden's "Executive Order on Improving the Nation's Cybersecurity," industry faces a potential hurdle in following suit: the cybersecurity rules may already be out of step with contemporary best practices.

In contrast to the adage "trust but verify," a core concept of the zero-trust model is to never trust, always verify. John Kindervag, who coined the term "zero trust" in a 2010 paper, often states that "trust is a vulnerability that can be exploited." Without zero trust, an adversary who gains access to a trusted account or device is free to move around a network unchallenged.

Zero trust moves cybersecurity defenses away from networkbased security perimeters--characterized by firewalls, VPNs and intrusion detection systems--to user identities, devices and individual resources. Instead of broadly granting access witJiin the protected boundary of a corporate network, zerotrust seeks to verify--authenticate, authorize and encrypt--every access request. In this way, a user's identity becomes the new security perimeter.

Trying to log in with the correct password but from an unusual location? Prompt for multi-factor authentication. Logging in from outside the United States and your device is failing compliance checks? Block the connection and alert an administrator.

Continuous, automated verification of identity can minimize the impact of a breach. In fact, a key design principle of zerotrust architecture is to assume the network has already been breached by an adversary. This mindset, all too reasonable in today's threat...