Date: On demand
Duration: 1 hour
Cost: No Fee
The first mention of zero trust came from a usual place. Congress. Former chairman of the House Oversight and Reform Committee Jason Chaffetz (R-Utah) wrote a column in 2016 calling on agencies to adopt this approach after details emerged from the breach suffered by the Office of Personnel Management.
After that column, it took two years before the federal community started hearing about this concept of zero trust. And then boom, everything is about zero trust by 2019 up until today.
Today, President Joe Biden’s executive order put a marker down for agencies to meet the goal of zero trust. OMB, NIST, CISA and DoD all got involved over the past two years with assorted guidance, standards, pilots and strategies.
Over the course of the last two years a few things have become clear about zero trust: It’s not a product. It’s not a capability. It’s a way of thinking and securing data, systems and people.
Zero trust also is a journey. That journey began years ago with capabilities like those in the continuous diagnostics and mitigation (CDM) program, the Trusted Internet Connections architecture and identity and access management tools.
And like any cyber effort, that journey is long, it’s hard, it costs money and, most importantly, it requires agencies to be flexible as threats changes and new technologies emerge.
Gerald Caron, the chief information officer in the Office of the Inspector General for the Department of Health and Human Services, said there still is a lot of education about what zero trust is and why it’s important.’
But there is no question that agencies are moving in that direction as cyber threats continue to increase and evolve.
“I think the hard part, and what people need to understand is, you have to put just as much effort into the policy, people, procedures and what is your understanding what your risk tolerance is, so that when you are registering all these factors that are coming in. If you look at NIST special publication 800-207, where is the policy engine concept comes in, when you bring in all this telemetry and all these factors and understanding, the risk of each one adds up to what I call a dynamic risk score,” Caron said during the panel discussion Cyber Leaders Focus on Zero Trust sponsored by Carahsoft. “Then, if you hit a threshold, what action am I going to take as a result of those factors adding up to that going over that risk threshold? All of a sudden, the risk changed a little bit, I let you in first you had access to what you needed. I might let you download to read only so you can’t download or print at this time until I figure it out. Or the risk level has changed below that threshold and I’m going to kick you off the network just because you triggered a conditional access policy that I just cannot tolerate.”
To get to the place Caron described means integrating a host of existing and new cyber capabilities.
These include those from long-time initiatives like CDM and TIC from the Cybersecurity and Infrastructure Agency (CISA) as well as new and emerging capabilities from industry.
Sean Connelly the Trusted Internet Connections (TIC) program manager at CISA, said the agency is supporting agencies’ move to zero trust through the development of a maturity model.
“We are working to consolidate the maturity model to understand where agencies want help overall, just not in terms of the strategy and maturity model, but in terms of relief in other areas, technical, process, people, of course, and the mindset that’s required for zero trust to move forward,” Connelly said. “It’s not about building higher walls, not about building more walls, more defense in-depth, but it’s more about building smarter gates, or integration of those different systems.”
This program is sponsored by
Please register using the form on this page or call (202) 895-5023.
By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.
TIC program Manager, Cybersecurity and Infrastructure Security Agency
Chief Information Officer, Office of the Inspector General, Department of Health and Human Services
Senior Director, GTM Strategy and Growth Marketing, Forcepoint
Chief Technology Officer, Co-founder, Forward Networks
Chief Information Security Officer, Fidelis Cybersecurity