“The Department of Health and Human Services Office of Inspector General developed a zero trust functional capabilities model to ensure it understood the strategy’s pillars before undertaking any projects, according to its chief information officer.”
“Gerald Caron said HHS OIG’s model consists of eight pillars, as opposed to the Department of Homeland Security‘s five, complete with functional capabilities — like loss prevention and segmentation under the data pillar and authentication and access under the user pillar.”
“DHS’s Cybersecurity and Infrastructure Security Agency drafted the Zero Trust Maturity Model in June to help agencies comply with the Cybersecurity Executive Order, but Caron finds some people still talk about the strategy like it’s solely the identity pillar.”
“’I start with the data,’ Caron said, during the 2022 Zero Trust Summit presented by CyberScoop on Wednesday. ‘That’s what I’m protecting, that’s what the users are protecting, that’s what the bad guys want.'”
“That’s not to say the user and identity pillars aren’t important, but the first questions a cyber analyst will ask post-breach are what did the person have access to and was there exfiltration — data questions, he added…”
“The chief information security officer of U.S. Citizenship and Immigration Services, Shane Barney, echoed Caron’s sentiment that while there’s a place for compliance and it adds value, it will never be security.”
“USCIS threw out a compliance mindset when it “fell into” its zero-trust strategy through cloud migration about a decade ago, Barney said…” Read the full article here.
Source: HHS OIG took the Zero Trust Maturity Model a step further – By Dave Nyczepir, April 6, 2022. FedScoop.