Zero trust is the next logical step for SBA’s cyber evolution

For much of the past two years, the Small Business Administration has been on a mission to standardize and consolidate its cybersecurity tools and services.

In many ways, SBA is modeling what the future of cybersecurity looks like for many agencies.

Guy Cavallo, the deputy CIO at SBA, said the agency plans to continue to evolve its cybersecurity tools and strategy through the use of a zero trust framework.

Guy Cavallo is the deputy CIO at the Small Business Administration.

“Our next step is to take all of this to every one of the 115 different SBA locations to zero trust networking and break apart from everything being connected and once you are on the SBA network, you are trusted, to not trust anything,” Cavallo said on Ask the CIO. “Because of the cloud tools we are using, those cloud tools will allow us, in effect, [to] be the Trusted Internet Connections (TIC) for each one of those 100-plus locations and see the same dashboards that we are seeing now through the traditional MTIPS approach. That for us will be a revolutionary change.”

Cavallo said he credits SBA’s innovation with the continuous diagnostics and mitigation (CDM) program and with the TIC program, both of which are led by the Department of Homeland Security, as the reason why the agency is ready to move toward a zero trust framework.

Over the last two years, SBA led the effort to use cloud tools to meet the spirit and intent of CDM and TIC under DHS’s supervision. Under both governmentwide cyber initiatives, SBA connected to cloud security tools to look at on premise and cloud network services. Instead of trying to match TIC requirements control-by-control or CDM requirements tool-by-tool, SBA focused on the outcomes, which was understanding and acting on threats and network vulnerabilities in real time.

Now that it has proved both the value and speed of its approach, Cavallo said SBA is ready for the next step in its cyber journey, zero trust.

Cavallo said SBA picked five-to-six different offices of assorted sizes and regions to test out the zero trust model.

“This also will allow us to do is replace MTIPS circuits at each location with whatever the best for that area, whether it’s cable modem or other connection, so that we will have more than one vendor across the entire country. It will greatly reduce our telecommunications bill as a side effect of that,” he said. “It will take use two years total, assuming the tests go well, before we would finish implementing it because there are so many office locations. We know see the end of the tunnel of what the visibility is so now it’s changing the underlying architecture to go to a zero trust architecture with the underlying capabilities.

Moving off a 1990s network

The network architecture modernization means SBA can upgrade from a 1990s model, which Cavallo called the “hub and spoke” model. He said under this current architecture, the wide-area network is less secure and stable because if one hub goes offline, then the five or six spokes that are connected to it also goes offline.

Under this new approach, Cavallo said every SBA office will be its own hub so an internet outage will not have the same broad impact as it does today. The other goal, Cavallo said, is to move closer to creating roles and responsibilities for employees and contractors who use SBA’s network.

Through the zero trust concept, organizations have a better understanding of who is on the network and what they can get to in terms of data and systems. The CIO and chief information security officers councils as well as DHS through its TIC 3.0 uses cases are pushing the concept of zero trust governmentwide.

Meanwhile, SBA joined several agencies, including the Air Force, the Defense Information Systems Agency and others in piloting the concepts around zero trust.

The National Institute of Standards and Technology also is revising its zero trust guidance Special Publication 800-207. NIST computer scientist Scott Rose said the publication is meant to help generate a “conceptual framework” for agencies and cybersecurity experts to apply zero trust principles within their enterprise — both in their network infrastructure and how they actually do operations.

As for SBA, it continues to share its CDM and TIC pilots with other agencies through in-person presentations and soon through a publicly available report.