The Biden administration’s zero trust strategy and implementation plan is filled with objectives and deadlines. The 19 actions help outline the North Star that agencies must strive for over the next year.

The Office of Management and Budget found most agencies have overwhelmingly implemented multifactor authentication (MFA) at the network layer and are moving toward implementing phishing-resistant MFA as well. The challenge now will be to move these technologies down to the application layer and to continue the shift away from the traditional perimeter security.

Agencies must use the zero trust strategy and national cybersecurity implementation to continue to guide their efforts, especially as budgets potentially tighten.

By OMB’s calculation, agencies requested about $5.5 billion in total for cybersecurity in the fiscal 2024 budget. The budget requests from agencies detail specific spending plans against roughly 40 cyber capabilities that the OMB clearly defined and aligned to the zero trust pillars.

With the combination of funding and priorities, agencies must continue to prioritize and plan for cyber investments and improvements to meet the zero trust and other goals.

Shane Barney, the chief information security officer for the U.S. Citizenship and Immigration Services in the Homeland Security Department, said his agency has been on the zero trust journey for the better part of eight years.

But the USCIS priority list remains long as the opportunity for advanced capabilities continue to become available.

“Our biggest priority is on the identity side. My office actually owns identity and credential management systems, which is very unique in the federal space, not all CISOs do. It should be mandated actually. So in terms of our focus, it’s really on the networking side as well as applications,” Barney said during the discussion Prioritizing Cybersecurity Goals to Protect Agency Networks. “USCIS is a development heavy shop. We do development on a scale and in a way that rivals any federal institution and any commercial organization. We’re really good at it. So zero trust does require some new initiatives in that space that are really important. In fact, the most recent one that they added was the change to how you deploy code, where automating your pipeline deployments into production.”

Automation for alerting, response

USCIS started a project called ‘no humans in production,’ which focused on applying automation capabilities to accelerate and ensure the right rigor around putting code into production.

“We realize automation is far more than alerting automation. It was also incident response. It was how we were going to do it because [the tools] could respond faster and quicker than we ever could,” he said. “That, obviously, drives changes in your security operations center, especially changes in your workforce. If you walk into my SOC today, you’ll see my security analysts, but you’ll also see development teams.”

Barney added both the identity and network pillars in the zero trust architecture are underpinned by data, the protection of which is an ever growing concern.

Data protection is among the top priorities for the Justice Department’s in its journey to zero trust. The agency is doing that protection, however, through a different tactic than USCIS.

Vu Nguyen, the DoJ CISO, said the agency is working to ensure every asset access request regardless of the source is thoroughly vetted at all times.

“The second priority that we’re focusing on is implementing a cloud oversight and security strategy because cloud technology is transforming how we are storing and processing information today,” Nguyen said. “By implementing a robust cloud oversight and security strategy, we want to ensure that our cloud environments are not only efficient, but also secure. The next priority is, of course, is improving asset management and cyber hygiene. By focusing on improving asset management, we ensure that every digital component from hardware to software are accounted for and safeguarded through configuration and vulnerability management. At the end of the day, we cannot protect what we don’t know.”

Maturing Justice’s SOC

A big piece to accomplishing these goal is by modernizing and maturing the Justice security operations center (SOC).

Nguyen said these tools and a mature SOC will let Justice become more proactive in how it hunts for cyber attackers and threats.

The ability to disrupt, dismantle and limit potential attackers is a big benefit of zero trust, and something the intelligence community has been working toward for years.

Andrew Boyd, the recently retired director of the Center for Cyber Intelligence at the Central Intelligence Agency, said information sharing among the intelligence community members and across the government assists in the disrupt and dismantle goal.

“We do have to collect intelligence to feed that cycle so that other agencies can take action. The action is very different. Sometimes it’s providing information to our international partners, so they can disrupt ransomware actors. Sometimes it’s just providing intelligence so that the private sector can actually beef up their defenses,” Boyd said. “At the direction of Avril Haines, the director for National Intelligence, we have migrated over the past several years to providing that intelligence to either appropriately cleared private sector leaders or sanitizing intelligence so that it can be a value to private sector entities that don’t have those clearances.”

Can’t protect if you can’t see

Boyd said the open source and classified material provided to federal and industry cyber organizations can help with analytics or targeting of cyber threats.

“Frequently the nexus between the non-nation state actors, ransomware actors and criminal enterprises are a dotted line relationship connected to our nation state adversaries, principally China, Russia, Iran and North Korea,” he said. “We then can get to the tactics that they intend to employ with those plans and intentions and how we can defend ourselves in the federal government, in the intelligence community, but also, when appropriate to share that data with our partners in the private sector. There are an enormous amount of ways to automate that from a collection perspective, particularly in the open source world.”

The ability to use the data and apply automation is giving agencies a new level of visibility.

Kristi Chiarenza, the federal security advisor for Splunk, said that visibility is only becoming more critical because “you cannot identify a threat or combat an issue if you cannot see it.”

“Visibility is key to understanding the right security posture so that you can identify those anomalies that come into your network and be able to react to them and be proactive versus reactive in that state,” Chiarenza said. “With zero trust and the move toward a more data centric approach, you obviously look at your users, your workloads and your devices. And by using those analytics, you will be able to continuously assess your security posture and make sure it is in the right place.”

Chiarenza added agency visibility typically is buoyed by automation tools to help agencies identify alerts in those critical areas that need immediate protections.

Learning objectives:

• Cyber strategies overview
• The usage of automation in a cyber environment
• Addressing the cyber workforce challenges