 So, we're going to start with a chat and I'm delighted to welcome a lady who's been waiting patiently on their own video for a few minutes now, it's an honor to have you with us Lisa. Lisa Kanahan is serving as the Associate Director for IT Standardization in the Information Technology Laboratory at the National Institute of Standards and Technology. Lisa's responsible for developing laboratory programmatic strategies for standards engagement and conformity assessment approaches, understanding potential standards opportunities in emerging technologies and promoting the benefits of conformity assessment and standards adoption and use in the federal government and industry. Lisa currently serves as the NIST lead on the conformity assessment aspects of the NIST cybersecurity framework and privacy framework efforts. So, a lot of things that are of very similar, a lot of synergy between NIST and the open group. We believe in standards, we believe in certification and conformity assessments and just the value of this. So, a little more about Lisa. Lisa consults to the directors of the US HHS Health Information Technology certification program and the US HHS National Personal Protective Technology Laboratory, both very much in our minds at the moment. And Lisa is the convener of the US Interagency International Cybersecurity Standardization Working Group. And just to embarrass you, one little bit further, Lisa, I do want to share that Lisa was last month, in fact, awarded a Leadership in IT Standards for Industry Award from the Washington Academy of Scientists, of Sciences, sorry, which is a great honor. And anyway, we are delighted to have you here, Lisa. Welcome to the open group. And if we were on stage, there'd be a big round of applause for you right now. But just imagine one. Yes. Yeah. Thank you. Now, thank you so much for having me, Steve. And I was looking at this agenda and I'm actually jazzed that the agenda is discussing standards on how we can move forward in our new normal and how we work, what we do, where we work. So, I applaud the open group for the agenda you put together. It's very cool. Thank you. Thank you. So, I've told our attendees today a little bit about you and you're witness. Very well known organization, certainly inside the United States. But as you heard me say earlier, we have a lot of folks from outside the United States. Could you just say a little bit about what NIST is in the standards world and how it relates to other standards efforts? Sure, sure. So, the National Institute of Standard and Technology is an agency in the U.S. Federal Government. We're non-regulatory. So, our focus is on standards, metrology and measurement, where the National Metrology Institute for the United States. So, having said that, with just a few exceptions, we actually don't develop documentary standards, which are the type of standards we talk about here. We actually think those standards are best developed in the private sector. So, we see collaboration and participate with SDO, Standard Development Organizations, like Open Group, and like many of you as participants, seek out those participations in SDOs. And we rely on private sector standards like you all do as well. So, our relationship to standards development and documentary standards development is that we do research primarily. We're a research institute, and we bring those results to SDOs as contributions. Primarily focused on things like functional correctness, performance, test cases, how to measure the standards, things like that. So, we are much like you as participants here today, as we are participants in SDOs. We are members of those. We participate mostly in most of the relevant SDOs at a given time. We're in ISOIC right now. We're in IEEE. We're in W3C and 3GPP and all the 5G, the IETF Oasis, and yes, the Open Group. Yes, that's right. Yeah, we're glad to have you active in our security forum. So, thank you for that. So, potentially a big scope for NIST. What are some of the key undertakings that NIST has on at the moment, the focus areas? So, I'll mention three. I come out of, you mentioned the Information Technology Lab. So, we have other laboratories for physics and chemistry and materials and things like that, but we'll focus on IT here. And I'll mention a couple of areas. We have a very large research program and actually a coordinating function in the US government in the era of artificial intelligence. And we're looking at it from the perspective of what makes artificial intelligence trustworthy, right? How can we trust these new tools that we'll have available? And so, we're looking at the attributes that make AI trustworthy, the attributes everybody talks about, and we're looking at how to measure them. Another area we're looking at is the cybersecurity of IoT devices, and we're looking at from the perspective of addressing cybersecurity, functionality and attributes in the design of the device itself, and then looking at how that functionality gets used through a product interface, right? So, we're done at the device and then it comes out into the product interface. And then the third area certainly is zero trust that we're here talking about today. Okay, great. Great. So, yes, zero trust we're talking about today. So, what do you think makes that so relevant today? So, the concept of zero trust, so zero trust we kind of characterize it as a strategy. And it's about moving defenses from these static network perimeters that we're so used to and getting out to dynamic risk-based access control to enterprise resources where they are, right, regardless of where they are. And so, it's really looking at implementing fine-grained access control policies. That phrase, fine-grained access control policy has been around a very, very long time. We just never really implemented it because we relied so much on perimeter security. In the old days, when I started at NIST, we talked about computer security of a server, and then we started networking a few, and then the internet came and we have this perimeter concept that if you're in the perimeter, you're trusted, if you're out of the perimeter, you're not trusted, someone can get in the perimeter and wreak havoc. And so, now we have this zero trust concept which focuses access control at the resource, and it has to be that way because we are now working, we're accessing resources all over the place, the resources are everywhere, we're everywhere, we're using all kinds of different devices. So, that perimeter concept isn't going to hold up as we start implementing these different types of architectures. I think that's why your conference here is so relevant in talking about these concepts. So, I think that's why it's relevant. It allows cyber security and managing risk to go out to where those resources and where users are. Right. No, thank you. We've all been through these different approaches to security over the years and I know here at the Open Group we had a group that did some great work over many years called the Jericho Forum which was all about deep perimeterization. One day I'll be able to say that first off, but yes, this is new and different. So, what are NIST doing in zero trust? So, we have a zero trust program going on at NIST right now. We have some documents that we published and then some research components of them. So, just in August of this year, August 2020, we published a document on zero trust architecture. It's NIST SP800207, if you want to write that down, SP800207. It was actually done in collaboration with our CIO council. So, in the U.S. government, every agency has a chief information officer. They come together in a group and it did two things. It laid out some of the concepts of zero trust. So, this is new to a lot of people and so, it has an education awareness component and then the other part is talking about considerations of applying zero trust concepts in federal enterprise environments. We're not talking about ripping and replacing new technology, but it's an evolution. Everyone has already their fielded systems. They have to evolve them and so, it looks at uses and applications. It looks at access to resources and subjects and that's how it gets down into that fine-grained access control which is in some ways a replacement for the strong perimeter approach that we use now. What we have in the works, we're looking actually at all of our security guidance portfolio. It's pretty vast and we're looking at how to update it based on some of these zero trust principles. We have a new project called telework anytime, anywhere. Very timely for now, right? And we're looking to update that guidance based on standards that come out and guidelines that might come out and then the evolution of the technology. I think we all learned, certainly NIST learned lessons when in March we all went to full-time telecommute. The first lesson we learned was our VPN wasn't big enough. Our pipe wasn't big enough, right? Luckily our operations folks were able to fix that right away. One of the other issues that we noticed is that we started having to use digitally signed documents in telework environments. Well, we always did that in the office, on the one machine. It was in the infrastructure. Then we had to just push all that out onto our laptops, onto our phones, right? Very different. You have to think about that a little different. So that's what some of this telework anytime, anywhere effort is going to try to address. So we'll be updating another document. We have a guide to telework remote access and bring your own device. That's the title of it and that might be the first document that we focus on because that's really looking at safeguarding the technology used for telework and remote work. So we're going to incorporate all the zero trust principles down into those documents. Right now it's great as you say very timely and a lot of organizations are struggling with those same same issues. Yeah. So do you work with, I mean I'll say up front and I said before we're proud to have you in our security forum working with us. Do you work with other standards organizations in the zero trust space? So we work with, we work with a lot of SDOs in, so the SDOs we work with in the networking space. So the IETF, not necessarily, I don't know that they call their work zero trust work, right? But this is a standards, a layered approach of standards and standards and standards. So we do an awful lot of work in the IETF in the cybersecurity space in having some of those grounded networking standards available for implementing the zero trust. And then we joined Open Group and we're tracking the Open Group ZTA project. You all provided us great feedback on our, that SPI special publication I talked about, our zero trust architecture document. So thank you for that. I know we're having discussions with you all in areas of collaboration. We are fundamentally research institute and push our research into standards organizations of which you are, but you also have a lot of, a sort of a little bit of a research component. You're not purely a standards organization. We view you as doing more than that. So I think there's areas we can collaborate. And then we're reviewing your zero trust principles document that you just pushed out for review. So congratulations on that. And we'll certainly provide feedback on that document. That's great. That's great. So we've sort of set the context for why it's important, why zero trust is important. Where do you see it going, Lisa, the direction it goes in and the role of sort of standards in that? Yeah, absolutely. So where we see it going is probably where everybody else sees it going. We're not unique. We don't have any great, you know, insight there. But we think to for it to get where it's going to go, right, as we do digital transformation and push out zero trust out to resource. We need to define principles and tenants and concepts and standards, right? And we think we can contribute to that certainly. One of our efforts, hopefully to do that is a collaborative effort we're going to have for industry. We just announced it a few days ago. I put the link on the chat. I don't know if I hit the right chat to put our effort where you can find information about this. So we're starting a demonstration project where it's going to be in collaboration with industry. So industry companies that have products that can help build out zero trust solutions can come and work with NIST and we build one or more solution sets of products, bringing products together. This is done at the National Cyber Security Center of Excellence, NCCOE, which is a NIST effort. It's always in collaboration with industry. And then there we do three things. We apply standards to the solution, right? That's first and foremost, where NIST, we want standards. So we apply standards to solution. That's a requirement. And then hopefully out of it we get good or best practices. I had best practices and thought maybe it's too soon to claim anything as a best practice in this space. Maybe they're good, right? And then lessons learned, right? What not to do. And then we generate a roadmap, a roadmap of to-dos, right? And this is hopefully contributing to the development of standards. We might see where their standards needs as we try to build these solutions and then help in adoption of the technology as well, right? These are things that need to be done to increase adoption, things that need to be done to do standards work. I should mention anyone interested in collaborating. If you go to the link I had, that'll kind of give you the rules of the road, how you can collaborate or you can send me an email and I'll get you with those guys. But I think for where it's going, there's steps to get there. There's standards, there's principles. There's a lot of work to do to get there. Right. You mentioned digital transformation, which is something that just about every organization is going through or needs to go through. And talking a lot more about the use of standards in digital transformation later in our session today and it's a big focus for us. So how do you think Zero Trust will help organizations who are going through that transformation? Because obviously security as we get more digital, security becomes even more important. Right. So I think as organizations undergo digital transformation, if a few years ago the answer on the cybersecurity side was well, you have to build a perimeter. You have to define a perimeter and build a perimeter and put up your fences and everyone inside is trusted and everyone outside is not. That wouldn't work. Right. That's just a barrier then to get where you want to go. And I think the exciting part of Zero Trust and implementing the access control this way is that it removes that barrier that if you want to use cloud resources wherever you want to access applications wherever using whatever device and wherever you are, that access control and the ability to secure the information and the resources can happen regardless of where you are. You're in a perimeter, you're not in a perimeter and whatever network you're on. So a few years ago we would have been going ooh, but now we've removed that barrier of a possible barrier of cybersecurity. Right. And another thing that everyone's interested in right now is agility and speed to market and all of these things. Do you think Zero Trust can help there? Yeah, I think so because I think with the fine-grained access control in some ways your the products and services aren't forced to fit into a particular cybersecurity scheme of this within the perimeter. Right. There's a little more flexibility there and maybe that's something that some of the product and services vendors I'm talking non-cyber security don't then have to worry about how they fit in there in that perimeter so I think it helps there. I wanted to mention the other thing and maybe this is something you often talk about because unless sure it's true. So in looking at Zero Trust it really forces you to look at users and assets and resources and applications because you're going to have that fine-grained access control and I'm thinking that that type of information actually is really helpful as you go through a digital transformation process. So I think it actually sort of is cyclic and it feeds back into that process as well. Okay, thank you. And how about in the federal space? How do you see the impact of Zero Trust in federal? Federal. So a few years ago in the U.S. federal government we had a pretty big breach of federal employee information. It was it was quite stunning right and I think that was the motivation for the in the U.S. the federal government the CIO council to get together and say you know enough is enough we have to change something and so that's how they triggered the motivation to look at Zero Trust and I think in the federal space the while the wheels of enterprise can turn slowly I think there is a recognition that those wheels must turn and like the private sector we need to go through these digital transformations right in terms of how we work you know how we work we all know how we're going to work now right this is you know this is I don't know that we're all going to tell the work forever or remotely work but but you know this is it and so federal agencies recognize that they know they have to change as they do in the private sector so I think these concepts are going to be the same in terms of NIST and our role as I said before we have to update our guidance to recognize that and I think we have to maybe even put in more guidance to help them that through that that Zero Trust evolution process and not just on the technical side but on management and process guidance as well right how you manage and operationalize Zero Trust is a little different than that traditional perimeter security architecture and so I think for federal agencies they have to think about that as well right so do you do you see a way of of getting some kind of compliance around Zero Trust in the in the federal space in particular or even even boarding yeah so in terms of Zero Trust itself you know the you know I I don't I don't know exactly what the requirements are going to look like for federal agencies to implement Zero Trust per se but they still have to implement their same cybersecurity policies right and meet the same requirements regardless of the whether it's Zero Trust or perimeter and one of the advantages of using Zero Trust is that it's really good at logging data it's really good at logging activity and so that that data is processable and so as federal agencies go through their security assessments and their audits they have that processable data I think that's great to use and it also offers a feedback loop in terms of enforcement so how your security you have your security policy and how do you know it's being implemented correctly it's enforced correctly right so you have all this data you can know is your is your policy implemented even correctly is there did they did they miss something in the security policy right or their assets out there kind of running mock users doing all kinds of things right and and at the end of the day is at least privilege have you implemented a policy that says for a given user they have the access they need and no more right that's really the concept here the access you need and no more and I think that helps it and then finally I think this data actually gets to when there is an incident and recovery and response you know sort of like a hidden gem there that that you have that really fine-grained detailed event information that when there is an incident right Lisa I don't I don't know where that 25 minutes went exactly but it but it went and we we do need to move on but I do have a question from one of our attendees today about about NIST cooperation specifically are you working with ISO and IEC for cyber security standards I'm thinking specifically of ISO 27000 and IEC 62443 not necessarily the the specifics but at least answer the general yes so um so this is probably a very uh standards aware cyber security ISO standards aware person that wrote the question um so we are involved in in um we're involved in the IEC work in the ISO work I don't know that we have direct participation but we certainly always have a goal that the NIST document that is sort of a analogous to the 27000 series is the risk management framework 853 right and so we always seek to make sure that those they are aligned that they are not inconsistent that they are not in conflict because we recognize that many folks who want to meet the principles of NIST documents right the other document 839 which talks about how to manage cybersecurity risk they may actually do so in an implementation of that 27000 um and then you and then you get the benefit if you choose to be um certified or registered or certified now right they call it certified if you choose to go down that path you know that that's there and there's consistency that's great thank you for thank you for taking that and um with that we must uh we must move on with our day thank you for giving us a great start Lisa in a minute good luck in your uh your your work in NIST and we look forward to future collaboration so uh absolutely big virtual round of applause thank you very much