NGA, DHS S&T’s unique approaches to zero trust, cybersecurity

The National Geospatial-Intelligence Agency is in the midst of figuring out how to apply zero trust capabilities across more than 1,300 systems and applications.

The variety and breadth of this effort requires a different kind of approach to meeting the goals laid out by the intelligence community and the Defense Department.

The Energy Department’s journey to zero trust is taking a workforce-first approach.

And the Consumer Financial Protection Bureau, the application layer in the zero trust pillars is getting some special attention.

As the common refrain goes with the governmentwide initiative, there is no one path to zero trust, just the same end goal: To fundamentally change the way agencies protect their systems and data.

“One of the things we’re really focused on is how can we assess the integrity of the zero trust implementations independent of any specific commercial vendors technology? How do we do it kind of at a technology level and at a high level, but also how do we come up with standards that allow us to assess the integrity of like our trust algorithms inside of the policy decision points and the policy engines? How do we come up with a standard measure for indicating the security there so that’s just one of the areas that we’re looking into?” said Donald Coulter, the cybersecurity science advisor for the Office of Science and Technology at the Department of Homeland Security, during a recent panel at the 930Gov conference, an excerpt of which was played on Ask the CIO. “We’re going to be looking at how do we improve zero trust capabilities and fundamental technologies that are beyond what the standard commercial implementations are providing in the near term, that includes looking at how to expand contextual awareness and expand all the metadata associated with all the systems and resources that we have to be able to communicate those across systems and system boundaries and organizational boundaries.”

Coulter said S&T will focus on standards for system engineering and the development lifecycle and how to bring them together, especially from a supply chain risk management perspective.

Among the questions S&T is asking about zero trust are: How are we influencing the standards creation to make sure that we’re approaching them to make sure that we have the visibility and understanding to retain the resilience and understanding of what’s going on in systems? How can we help the developers and the consumers understand what they’re buying and what they’re deploying is safe?

That question and challenge of integration is front and center in NGA’s zero trust strategy.

Monica Montgomery, deputy chief information security officer and deputy director of the cybersecurity office at NGA, said there are seven pilots driven through the agency’s enterprise architecture to address all the zero trust pillars.

“We have seven minimal viable products (MVPs) that are across those seven different pillars, but that has broken down into 91 different zero trust activities and 170 enterprise requirements,” Montgomery said. “As systems come through that, business management systems, they are producing those requests for changes (RFCs), each one of those is getting bounced across our solution epic. So we don’t have to go to all the programs. The programs are coming to us, and that’s given us a really a great opportunity to look at how we can take funding that we’ve received from the Office of Management and Budget, from the Director of National Intelligence and from the Defense Department, and appropriately section that off and fund those enterprise security services, first and foremost. But that’s not the totality of our enterprise, so we have to find ways to get to those smaller programs that are needing that funding who can’t afford to do it themselves. So doing that through our enterprise architecture and our solution epic, I think we’ve got a unique approach.”

NGA identified those minimum viable products based a few criteria, including enterprisewide systems, how the capabilities meet DoD and IC zero trust target activities and how they could get other parts of the agency on board more quickly.

The last criteria, getting everyone on the zero trust bandwagon, can be among the toughest parts of the effort.

To that end, the Energy Department is requiring a minimum level of training for all employees.

Amy Hamilton, the visiting faculty chairperson at the National Defense University’s College of Information and Cyberspace and Energy’s senior advisor for national cybersecurity policy and programs, said investing in people and training is among Energy’s most important zero trust initiatives.

“What the department is doing is ensuring one person at every site in every cybersecurity program is trained on zero trust specifically. That has been an enormous initiative that took a lot of effort because a lot of times we don’t invest in the people and it’s more about getting a tool. So to actually have those people out there trying to do something that we’re finding very rewarding,” Hamilton said. “We selected one vendor to go ahead and [create standardized training courses]. We also had them specifically tailor some of their knowledge base so that people can go ahead and access a Rolodex. What it has really done for the department, though, is give us a common lexicon and that gives us also a common point for deviation.”

NGA’s Montgomery added her agency is making cybersecurity a part of everyone’s job.

“It is no longer the 137 people who are considered cybersecurity. It’s not their job. It is the totality of the agency wherever you sit, your job is cyber because of things like phishing and because of who you are and you might not realize the privileged accesses that you have,” she said.

One way agencies are addressing the personnel challenges is through better software development, which lets leaders assign roles and responsibilities to users more easily.

Dr. Tiina Rodrigue, the CISO of the Consumer Financial Protection Bureau, said her agency is focused heavily on the application pillar under zero trust for that and other reasons.

She said concerns about the risks brought by the supply chain as well as open source software as CFPB builds a lot of its own software.

“We have already seen that from the Log4J and everything else, that when vendors or open source communities include problems, we transitively inherit those problems. So part of what we’re looking at is being our own product development team to make sure that security also as part of the ideation and that as part of that orchestration that we have built in cybersecurity from the get go because with our systems thinking approach, we recognize that we’re all interconnected and these things will emerge dynamically with much less warning than before and often with no warning,” she said. “Part of what we’re doing are building those relationships so that there is cyber synthesis throughout the whole thing. That’s the major emphasis we have around zero trust because with those applications tied into identity, tied into the network and devices and the data itself, we’re able to protect everything at the same time.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.