The policies are out. The strategies are done — for now — and the time for talk is over.

Federal Chief Information Security Officer Chris DeRusha said earlier this year when it comes to zero trust, it’s all about implementation.

While agencies still are waiting for a few other policy or guidance documents, for most 2023 and beyond will be about securing networks, systems and data with a new mindset and approach.

The big question for many agencies is how to define what success looks like and how can they measure their progress on this difficult zero trust journey?

Sean Connelly, the Trusted Internet Connections program manager for the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department, said many agencies are focused on instilling zero trust principles across all parts of the agency, not just in the technology office.

“A lot of this is back to those first principles of cybersecurity. How could we advance not only on the tactical side, but the business leaders, the architects and those type of people on the business application side,” Connelly said during the panel discussion Implementing a Zero Trust Architecture Framework. “There’s been a large push to adopt fast identity online (FIDO) collectively across some agencies. While other agencies have really come back to OMB and CISA just wanting to make sure they are reading the policy right and how that goes directly across the pillars. Another one we’re seeing opportunities is endpoint detection response (EDR). What’s interesting, some agencies have four or five different EDR clients and some of them are actually using this effort to actually collapse down their technology stack a little bit and try to say we need one enterprise EDR client across their mission.”

As Connelly described, the move toward zero trust is at least a two-pronged effort: one focused on consolidating, modernizing cyber technology and tools; one focused on making sure non-technology leaders and employees understand why and how this approach works.

Amy Hamilton, a senior cybersecurity advisor for policy and programs for the Department of Energy, said since no agency is starting this journey with a “clean slate,” success is focused on taking advantage of what they own, filling gaps and educating the workforce.

“We started a series at the Department of Energy of ZTA tabletop exercises. I found out most people outside of the department of Defense know what a tabletop exercise is, so we started calling them scenario-driven discussions,” she said. “We go into them with questions like, ‘Okay, how is an identity determined when it comes from a human resources perspective? And then how does that person get approved to get their credentials to get on the network?’ and just walking through the processes in this granular level, and then constantly checking back to our governance and analytics.”

Hamilton added the exercises also get into the technology layer analyzing how the agency ensures it has visibility into the who and what is on the network, re-evaluating different cyber checkpoints and connecting people from different parts of the department.

“We have a real opportunity through ZTA to break down those barriers. One of the things that we’ve been able to successfully do is get our business mission partners to the table is absolutely essential,” she said. “We make sure they know what’s really important about this is all and the partnerships that we have across the different agencies working with each other because you can’t go it alone, you can’t afford to go it alone.”

Paul Blahusch, the chief information security officer for the Department of Labor, said this intra-agency coordination becomes more important as the move to zero trust requires a major change in thinking about how to protect data and networks.

“We think in the long run it may not cost any more than our ‘castle and moat’ approach, but there’s going to be a spike when we’ve got both going on at the same time. That’s where we’re at and what our challenge is,” he said. “It’s now about budget and finding the funding that’s going to allow us to kick start that effort off. We have the plans in place, and now we’re looking to implement and identify those funding sources we can use.”

Funding remains a major obstacle

No agency is freed from the challenge of finding funding.

This is why the Defense Department identified funding to help the services and defense agencies make the move.

Randy Resnick, the director of the zero trust portfolio management office for the Department of Defense, said the new strategy, which the Pentagon made public in November,

“The goal for the Department of Defense as a success point is the determination of where do we slow down stop or contain the adversary,” he said. “We drew out across all seven pillars a process that we can actually build out an enterprisewide network that achieves that. We believe all those seven pillars actually could define and describe an infrastructure for data and communications. We also strongly believe that all seven are equally important and they all have to be worked as near simultaneously as possible, and none of them should have a priority over the other.”

DoD has given the services and agencies five years to hit a target level, and the strategy outlined three approaches to help them get there.

Resnick said these include implementing it through existing infrastructure, which it calls the Brownfield approach. Another approach, which DoD will begin testing in 2023, is through commercial cloud providers. The third is through a private DoD-only cloud.

ZTA implementation plans

Several agencies are joining DoD in implementing multiple ZTA projects at once.

Gerry Caron, the chief information officer for the Office of the Inspector General for the Department of Health and Human Services, said his office has established five foundational projects, including data mapping to understand what they’re trying to protect, where is it going, what is it doing to create a baseline. Caron said that data will eventually lead to micro-segmentation.

“We’ve entered into an agreement to get a full 24/7 security operations center-as-a-service with the Justice Department, who provides us as a service and we’re doing a lot of tools integration because I need that telemetry to make decisions on and those logs and everything else,” he said. “We’re we have some identified some areas for maturity for our identity management. We’re undertaking that so a lot of planning and some purchases, and now we’re doing secure access service edge (SASE) as well. We are getting rid of that boomerang effect of relying on the on-premises network, but still get that security telemetry.”

Several agencies are moving toward SASE implementation as part of the ZTA strategy.

Michael Mestrovich, the chief information security officer at Rubrik, said to move to SASE or other ZTA related technologies, the key is for agencies to understand what their critical assets are and where they are located.

“We all know it’s going to take an enormous amount of funding to deploy zero trust solutions, so really this is about making some economies of scale, what are the most critical assets that you need to protect first? And then how do you best deploy solutions that protect those critical assets?” Mestrovich said. “Some things that I think a lot of organizations struggle with at times is understanding what is their critical data, and then where does that critical data actually reside? I think a lot of organizations believe that critical data resides in certain applications, and then when they do data mapping exercises, they come to find out that their user base uses that data and those applications in entirely different ways than they had anticipated. So doing those data mapping exercises really helps them pinpoint the criticality of their data, and then from that, they can go ahead and utilize resources to shore up the data protections around that around that information.”

Learning objectives:

  • Current state of zero trust
  • The pillars of zero trust
  • Measuring success of zero trust strategy

Please register using the form on this page or call (202) 895-5023.

By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.

Please register using the form on this page.
Have questions or need help? Visit our Q&A page for answers to common questions or to reach a member of our team.

Speakers

Paul Blahusch

Chief Information Security Officer

Department of Labor

Sean Connelly

Program Manager, Trusted Internet Connections

Cybersecurity and Infrastructure Security Agency

Randy Resnick

Director, Zero Trust Portfolio Management Office

Department of Defense

Amy Hamilton

Senior Cybersecurity Advisor, Policy and Programs

Department of Energy

Gerald Caron

Chief Information Officer

Office of the Inspector General, Department of Human and Health Services

Michael Mestrovich

Chief Information Security Officer

Rubrik

Jason Miller

Executive Editor

Federal News Network

Sponsors

By providing your contact information to us, you agree: (i) to receive promotional and/or news alerts via email from Federal News Network and our third party partners, (ii) that we may share your information with our third party partners who provide products and services that may be of interest to you and (iii) that you are not located within the European Economic Area.