“Officials from the Defense Department (DoD) and the Cybersecurity and Infrastructure Security Agency (CISA) said today that creating more effective defenses against sophisticated cyberattacks of the type used in the SolarWinds Orion hack may require further adoption of zero trust security concepts.
That was the news from Bob Kolasky, who heads CISA’s National Risk Management Center (NRMC), and Stacy Bostjanick, director of the Cybersecurity Maturity Model Certification (CMMC) Policy Office for DoD’s under secretary of Defense for Acquisition and Sustainment, who spoke during an online event organized by AFCEA International.
Both officials also discussed the growing likelihood that the CMMC security model will migrate in some form from its present use in ensuring minimum cybersecurity standards in the defense industrial base (DIB) to further areas of Federal government contracting…”
“Bostjanick said that CMMC compliance up to the level 3 rating would not have prevented an attack using similar methods as the SolarWinds exploit, although employing cybersecurity practices to the level 3 rating may have given some companies the ability to identify that such an attack was taking place.
‘You’re not going to get into the levels of stopping [that attack] until you get to levels 4 and 5,’ she said. ‘To really stop a SolarWinds [type attack], you almost have to go to a zero trust environment,’ Bostjanick said.
Zero trust security concepts incorporate much more rigorous and frequent evaluations of user and endpoint identities to allow access to networks…” Read the full article here.
Source: SolarWinds Hack Defense Points to Zero Trust, Federal Officials Say – By John Curran, February 19, 2021. MeriTalk.