Date: On Demand
Duration: 1 hour
Cost: No Fee
As 1 of 10 agencies directly impacted by the SolarWinds attack last winter, the Justice Department isn’t letting a good crisis go to waste.
In the aftermath of the attack, DoJ is using its experience to accelerate key cyber initiatives that have been under discussion for several years.
Melinda Rogers, the chief information officer of the Justice Department, said after poking around the periphery since 2017, Justice is developing a strategy to move toward zero trust architecture.
“It’s given us the opportunity to push hard in evolving our framework. But we still have a solid program today. Now we’re looking at how do we continue to move forward and learn from the lessons of the attack, and build our environment in a way that allows us to safeguard our information without compromising the user experience?” Rogers said on Ask the CIO sponsored by Menlo Security. “
Rogers said this user experience is why the move toward zero trust must be driven by the entire agency and not just by headquarters.
“It’s important for us to socialize any particular notion, especially since it’s a pretty big architectural evolution, with our component constituents. We have IT representatives, CIOs at these various bureaus, and what we’ve done so far is outlined at least a proposal of what we’d like to do a socialized it with our community. We’re now in the process of getting feedback from them in terms of either things to consider, what might work, what might not work and get all the challenges out on the table as early as possible so that we’re not all the way down in designing and implementing, and then we find out something doesn’t work,” she said. “We’ve got to find a way to do pilots, get some lessons learned that way and also get some quick wins that way so that we can do better as we roll out the initiative across the entire organization. Let’s make sure it works. Let’s make sure the user experience is optimized and it’s not adversely affected. I think there’s certainly excitement but where we are not about just chasing the shiny new toy, it’s got to work, we got to show the return on investment. We’ve got to be able to show the goods behind it. So I am very excited where we’re still early on that adoption front. But all indication is that we have a good group of it CIOs that are supportive of us approaching this architecture.”
Zero trust pilots on the horizon
Rogers acknowledged that the SolarWinds attack along with President Joe Biden’s cyber executive order, which calls for an acceleration of zero trust architectures, created a perfect storm of sort for Justice.
She said over the course of the next year or so, Justice will focus its pilot efforts around several areas including locking down the applications, putting stronger identity and access management controls in place and automating end point detection and response—another call out from the cyber EO.
“Today, we obviously have 40 plus components, each managing the users that are coming and going. But we have to have a way across the enterprise to unify the digital identities that exist in our organizations and be able to decipher who has access to what and who is authorized to what level of access. Melinda Rogers could be a general user of this application, but she could be administrative user for another application, we’ve got to be able to get down to that level of granularity,” Rogers said. “Historically, we’ve relied on the trust notion of let’s say Component A versus Component B it they’re all part of the Department of Justice network, which is trusted network. I think today, especially given the lessons learned from the SolarWinds attack, we have to be very diligent about getting down to the people which can be a bear for an organization that’s our size, but we’ve got to do it.”
Similar to identity and access management tools, Rogers wants a more standardized approach to end point detection and response. She said Justice deployed these tools four or five years ago, but not in a consistent manner.
“If we can standardize on one or two versions of that tool, it will help the Security Operations Center certainly be that much more effective and efficient if there is an incident that occurred to be able to know how to address that specific box that’s breached, or how do we take that offline,” Rogers said. “That’s where standardization comes in. We don’t want five or six different versions of this stuff floating around out there. Is it to the degree that we can standardize and be able to act quickly and contain quickly? That’s going to be our objective.”
Better cyber through risk-based decisions
She added Justice still is developing its acquisition strategy, but she does expect requests for information and possibly requests for proposals to come later in the initiative.
“We are piloting the zero trust broker model for some of our remote access IT. It’s a relatively small pilot, primarily for those of us that are within my immediate office. We do have a couple of different components that are interested in piloting their use case, which will be a little bit different from ours, but from a remote access that seems to for us right now seems to be sort of the lowest hanging fruit that we could do some quick tests on,” Rogers said. “My objective right now, without getting into the specific vendor components, is about use cases that sort of covers everybody, remote access, but it’s also one where if it doesn’t work, you have the office as an option because a lot of folks are vaccinated, so people are going back into the office. I’m not I’m not this is not forcing anything, but just that it’s an option that we’re testing.”
As part of moving toward zero trust, Rogers said Justice continues to take a risk-based approach to technology and cybersecurity.
She said the data from cyber tools as well as mission needs are helping to inform management decisions. At the beginning of the pandemic in March 2020, one of those data-informed, risk-based decisions came to the forefront.
The department was using an assortment of video conferencing platforms and Rogers quickly pushed forward to ensure all of them were secure but accessible for employees.
“Overnight, we, at the department level, from the cybersecurity perspective, had to say we’re going to allow for communication on all five or six of the platforms that were used by all different components. Part of that was quick decision making based on information that we had. Have we seen any vulnerabilities associated with these platforms? No. Are there other concerns that might somehow impede our ability to open these channels up? No. Do we have full visibility or partial visibility, but we feel like what we have is enough? At the end of the day, we didn’t have that much time, and it was a matter of go, no go,” she said. “We said go and we watched them like a hawk. We looked for anomalies. We looked for traffic. We got the Justice Security Operations Center (JSOC) staffed up to make sure that everybody is on full alert. We allowed our security operations folks to do the monitoring remotely as well. So it was a matter of all hands on deck.”
Rogers added Justice analyzed its risks, ensured there were compensating controls and looked at other factors to make sure they were comfortable with the video teleconferencing platforms.
Today, she said Justice is using two video teleconferencing tools as they were consolidated over the last year.
Rogers credited an asset management software that Justice deployed a few years across the enterprise to keep track of all end points as a key piece to the zero trust architecture and driving risk decisions.
“We’ve relied on that information over time to give us insight into how many servers we have across the landscape. How many laptops do we have? How many versions of out of support software might still be lingering on which on which boxes? Are they lingering? It gave us that visibility and its data. It is not that information was not retrieved by data calls,” she said. “We get that visibility in real time, at any point in time, where we are in good shape, and where we might have some soft spots in an organization our size. Nobody can say they’re perfect, but the objective here is how do you achieve that? We have solid good visibility that gives us enough intelligence to make some of those risk-based decisions.”
Join moderator Jason Miller and Rogers as they discuss:
Please register using the form on this page or call (202) 895-5023.
This program is sponsored by
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.
Deputy Assistant Attorney General and Chief Information Officer, Department of Justice
Executive Editor, Federal News Network