A new cybersecurity guidance from the National Security Agency is calling on network defenders of the Department of Defense, Defense Industrial Base and National Security System to implement zero trust security on their information technology devices.
NSA on Thursday published an information sheet recommending device security assessment and enhancement through zero trust principles including real-time inspection, remote access protection and patch management.
The cybersecurity information sheet, or CSI, discusses the device pillar of the ZT framework, which ensures that hardware that is within an environment or connecting to resources undergoes strict location, enumeration, authentication and assessment.
An organization’s registered IT hardware and software should be inventoried along with their versions and patch levels. They should also be part of acceptance testing and deprovisioning before retirement.
Agencies must regularly check their devices’ compliance to internal policies and general standards, and update their configuration and firmware versions if necessary, NSA said. Obsolete encryption could lead to easy accessibility and subsequently data breach.
The CSI is also applicable to non-government organizations that could face threats from sophisticated malicious actors, according to NSA.
