Zero Trust Cyber Exchange: NARA’s Sheena Burrell on adjusting the ZTA plan to the agency

All agencies are different and so it makes sense that they won’t all be taking the same path to zero trust, says NARA’s Sheena Burrell. During the Zero Trus...


Zero Trust Cyber Exchange: NARA

Everyone’s zero trust implementation plan should be different, and I think that’s a healthy thing for them to be different, because everyone’s not starting from the same starting point.

Every agency faces a clear mandate from the Biden administration to move toward a zero trust cybersecurity architecture.

Some agencies started moving toward a zero trust approach before the administration’s executive order made it a governmentwide priority. Others, however, are just getting started.

Sheena Burrell, deputy chief information officer at the National Archives and Records Administration, said each agency’s journey to zero trust will look different because each agency has its own unique challenges.

“Everyone’s zero trust implementation plan should be different, and I think that’s a healthy thing for them to be different, because everyone’s not starting from the same starting point,” Burrell said during Federal News Network’s Zero Trust Cyber Exchange.

For small agencies like NARA, the biggest challenge standing up a zero trust strategy remains budgetary resources, she said.

“NARA has a lot of data. We have to be able to protect that data, and zero trust really does give us the capabilities and that strategy. We just need to be able, from a National Archives [perspective], to take a look at all those different pillars of zero trust and figure out what’s the best thing for the National Archives. Where do we really start, and how do we get those resources to be able to build a zero trust architecture?” Burrell said.

Same goal, different paths to zero trust

Although agencies face unique challenges in making zero trust a reality, Burrell said that all agencies share a fundamental goal.

“All agencies are going to have to really look at this the same way, in terms of what resources do you have? What are your existing tool sets that you’re already working with? And what capabilities do you need to add in to have a good zero trust architecture? I think that for the most part, the National Archives wouldn’t be any different in terms of how we are doing our cybersecurity measures as, say, the Social Security Administration, somewhere I used to work,” Burrell said.

Agencies also share some common elements when it comes to what a zero trust implementation should achieve, she said.

“We all have a plethora of data, a lot of information that we want to make sure that we’re protecting. But there are also different applications that we need the public to get on,” Burrell said. “Now that we’re all teleworking and we’re working from home, we need to make sure that we have applications that our users at our agencies can get on. It’s not necessarily being restricted based off of just your network, but being able to see who is trying to get onto what application or what device. All agencies have to be able to look at that.”

Common zero trust challenge: resources

NARA is hardly the only agency seeking additional budget resources to move forward on its zero trust strategy.

Burrell also serves on the Technology Modernization Board, which oversees a governmentwide revolving fund that lends money to agencies for IT modernization projects that demonstrate a strong return on investment. Agencies, in turn, are expected to pay back Technology Modernization Fund.

“Being a member of the TMF Board, I’ve seen a couple of proposals from agencies for zero trust, and they all kind of look a little bit different,” she said. “And it’s not to say any of them are wrong. It’s just that needs for one agency may differ from the needs of another agency.”

TMF has experienced ebbs and flows from Congress in terms of annual appropriations. However, the fund received an unprecedented $1 billion through the American Rescue Plan.

“When we put out mandates, a lot of times these mandates don’t come with funding, and the TMF board really does help to support those agencies who may not have a pot of money just sitting around,” Burrell said.

The ARP funds led to different TMF loan repayment terms that allowed its board to give greater consideration to zero trust and cybersecurity proposals.

“A lot of these zero trust strategies or even cybersecurity strategies may not have cost savings where you’re able to pay back the traditional TMF loan. … Agencies are able to put together these proposals and have a minimal payback versus a full payback,” Burrell said.

The TMF Board also has several zero trust experts among its members, including Federal Chief Information Security Officer Chris DeRusha and Sean Connelly, the Cybersecurity and Infrastructure Security Agency’s Trusted Internet Connection program manager.

“As all these different proposals have come in, we’ve had those experts be able to look at them and really provide some guidance. And even if they didn’t hit the mark, the TMF Board is able to say, ‘Here’s what you could do better to be able to put in a proposal again,’ ” Burrell said.

Unexpected benefits of engaging with TMF Board

Agencies benefit from applying for TMF funds, even if the board rejects their proposals. Burrell should know. NARA submitted a zero trust proposal to TMF that was rejected. (She recused herself from voting on her own agency’s proposal.)

Following the TMF Board rejection, Burrell said NARA officials met with CISA and the Office of Management and Budget to discuss ways to improve the agency’s strategy for zero trust.

“I think the benefit for NARA, by putting together our proposal and getting denied, was the support from CISA,” she said.

Small agencies in need of zero trust resources can also benefit from TMF in other ways. The TMF board is responsible for producing playbooks based on successful use cases. Burrell said those playbooks may especially benefit agencies that are not sure where to begin with a zero trust implementation strategy.

“As agencies start to implement zero trust, especially some of our bigger agencies, like the General Services Administration or the Department of Education, those playbooks are really going to help small agencies as they go about doing their implementation of zero trust. Even if there isn’t a monetary value that the TMF Board can give to some of the smaller agencies, or even bigger agencies, I think that the knowledge from the project management office and the feedback from the board on their proposals, as well as those playbooks, really do play a part holistically in the TMF Board’s value to agencies,” Burrell said.

“Those are intangible benefits that we get from the board and from submitting TMF proposals.”

To listen to and watch all the sessions from the 2022 Federal News Network Zero Trust Cyber Exchange, go to the event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCybersecurity Maturity Model Certification

    Data security’s integral role in the digital age

    Read more
    NDAA, POGO, 2025 National Defense Authorization Act

    NDAA amendment to give more authority to DoD components to buy cyber products

    Read more