The U.S. Department of Defense’s new document, Zero Trust Overlays, provides the most up-to-date guidance for applying zero trust concepts in DoD organizations. The document builds upon prior publications such as the DoD’s Zero Trust Reference Architecture and Zero Trust Roadmap as well as NIST’s Risk Management Framework and SP 800-53 security controls. And like these source documents, Zero Trust Overlays consistently emphasizes the importance of firmware and supply chain security in the context of Zero Trust.
Applying the Tenets of Zero Trust to Devices
Zero Trust Overlays organizes its approach into 7 key “pillars,” which address key areas of focus such as Users, Devices, Applications, Data, and Networks. And in this context a device refers to:
…any asset (including its hardware, software, firmware, etc.) that can connect to a network, including servers, desktop and laptop machines, printers, mobile phones, IoT devices, networking equipment, and more.
This is important because it not only calls out that Zero Trust applies to all types of devices, but it also highlights the components that devices are made of. A device isn’t just a single checkbox entity—it is a constellation of various hardware, firmware, and software components that will need to be evaluated in a Zero Trust context.
But what does that entail in an actual security practice? Let’s take a look at how a supply chain security platform can address the following five key tenets of zero trust as defined in Zero Trust Overlays:
| Zero Trust Tenets | How Supply Chain Security Helps |
|---|---|
| Assume a Hostile Environment | All devices (including their hardware, firmware, and software) must be treated as untrusted, and this requires teams to know exactly what components are in their environments and if they are authentic and do not contain implants or backdoors. A supply chain security platform can discover and provide a detailed component inventory across PCs, servers, network devices, virtualization infrastructure and more. |
| Presume Breach | Attackers increasingly seek to compromise devices in the supply chain and/or in firmware as a way to evade security and maintain persistence. Supply chain security platforms can assess devices to identify known and unknown threats such as firmware implants, backdoors, and bootkits/rootkits. |
| Never Trust, Always Verify | Security is dynamic, and devices should be continually reassessed before access is granted to a resource. Supply chain security platforms can continuously monitor devices and their components. Alerts can also be triggered based on detected risks or unexpected changes from established device baselines. |
| Scrutinize Explicitly | Devices should be assessed across a variety of attributes. Supply chain platforms provide detailed analysis of each device and component, identifying low-level vulnerabilities, misconfigurations, outdated code, or indicators of compromise. |
| Apply Unified Analytics | Supply chain security platforms can analyze the actual behavior of firmware and device-level components in order to identify anomalies and actions associated with novel or unknown threats. |
Firmware and Supply Chain Controls
While the tenets provide the high-level direction, the details are defined by specific NIST’s SP 800-53 security controls. Given the importance of supply chain and firmware security in SP 800-53, it should be no surprise that these topics are prominently featured in Zero Trust Overlays as well. In fact each term is referenced dozens of times across various controls and Zero Trust pillars.
Key security controls include:
Configuration Management (CM)
CM-2 Baseline Configuration
- Zero Trust Pillars: Device, Application and Workload
- Requirements: Maintain a current baseline configuration under configuration control [CM-2], using automated mechanisms
CM-6 Configuration Settings
- Zero Trust Pillars: Device and Application and Workload
- Requirements: Manage configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements. Monitor and control changes to the configuration settings [CM-6], using automated tools
CM-14: Signed Components
- Zero Trust Pillar: Device
- Requirement: Prevent the installation of selected software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization
System and Services Acquisition (SA)
SA-10(1) Software and Firmware Integrity Verification
- Zero Trust Pillar: Application and Workload
- Requirement: Enable integrity verification of software and firmware components to detect unauthorized changes to software and firmware components using developer-provided tools, techniques, and mechanisms
Risk Assessment (RA)
RA-3(1) Supply Chain Risk Assessment
- Zero Trust Pillar: Application and Workload
- Requirement: Implement or integrate with DoD’s supply chain risk management program and include managing risk related to supplier sourcing, approved repository usage, BOM, supply chain risk management, and industry standard vulnerability management.
RA-5 Vulnerability Monitoring and Scanning
- Zero Trust Pillars: Enabler, User, Device, Application and Workload
- Requirement: Continuously monitor and scan for vulnerabilities [RA-5] in the system and hosted applications, employ vulnerability monitoring tools and techniques that facilitate interoperability among tools, and automate parts of the vulnerability management process. Identifying vulnerabilities will be an important input when making access decisions.
System and Information Integrity Media Protection (SI)
SI-2(5) Automatic Software and Firmware Updates
- Zero Trust Pillars: Device, Application and Workload
- Requirement: Employ automated patch management tools to facilitate flaw remediation and help to ensure the timeliness and completeness of system patching operations [SI-2(4)] and automatically install security-relevant software and firmware updates to designated system components
SI-4(17): Integrated Situational Awareness
- Pillar: Visibility and Analytics
- Requirement: Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness
SI-7 Software, Firmware, and Information Integrity
- Zero Trust Pillars: Device, Automation and Orchestration
- Requirements: Employ integrity verification tools to detect unauthorized changes to software, firmware, and information, and take appropriate actions upon detection.
Incorporate the detection of unauthorized changes into the organizational incident response capability to help ensure detected events are tracked, monitored, corrected, and available for historical purposes.
Supply Chain Risk Management (SR)
SR-3 Supply Chain Controls and Processes
- Zero Trust Pillar: Application and Workload
- Requirement: Manage Supply Chain Risks. Manage supply chain risks [PM-30] consistently across DoD with considerations for security (including zero trust principles) and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services.
SR-4 Supply Chain Integrity
- Zero Trust Pillar: Application and Workload
- Requirement: Cybersecurity supply chain risk management provides processes and procedures to validate the integrity of system components installed in DoD’s systems and networks. Zero trust depends on the integrity of system and network components and its information.
Next Steps
Zero Trust Overlays is the latest in what has been a very consistent drumbeat of guidance from U.S. agencies and the DoD specifically. Zero Trust requires organizations to continually assess the most fundamental aspects of their technology. And this must include the most fundamental components, code, and supply chains that underpin the technology we rely on.
The Eclypsium supply chain security platform has specialized capabilities that allow customers to audit assets and find problems that are not visible to traditional security tools. Most importantly, Eclypsium performs these tasks in a highly automated fashion without the need for staff to develop new specialized skills. This ensures that organizations can not only meet their Zero Trust requirements, but have powerful visibility into virtually any class of asset or technology. If you would like to learn more, please contact the Eclypsium team at [email protected].
Related resources:
