Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The effort to overhaul federal cyber defenses has “momentum” behind it, most notably in helping agencies distill broad cybersecurity objectives into specific technology investments as part of the annual budgeting process, according to White House leaders.
Federal Chief Information Security Officer Chris DeRusha said the White House’s zero trust strategy gives cybersecurity leaders the ability to “disaggregate and do strategy-based budgeting all the way down to a technology investment.”
The strategy lays out five zero trust “pillars” and corresponding actions agencies should take before the end of fiscal 2024.
The Biden administration is currently in the middle of building the FY24 budget, and DeRusha said the zero trust strategy is helping his team have “meaningful conversations” with budgeteers across government.
“We can do that by in each budget build saying, ‘These are the capabilities inside this pillar of zero trust,’ and if you’re looking for an investment in X, Y or Z tooling, it fits here,” DeRusha said during the Authenticate 22 conference on Monday. “You can bring that back to us, we get that data. And then we can build back up and have a sense for each pillar, how much people are investing over each individual budget year, and then how much at an aggregate level they’re investing in their zero trust strategy implementation.”
“I’m just trying to see if we can keep building off that success by being compelling, and showing with data the need for these investments, because that’s what’s been missing from it,” he said. “If you can’t fund these things, you’re not doing much. And so it’s really, really important that you use that data to drive those investments.”
TMF driving zero trust lessons
While most agencies have had to find room in existing budgets to begin implementing zero trust architectures, a handful have received funding for zero trust investments through the Technology Modernization Fund.
They include the U.S. Agency for International Development, the Agriculture Department, the Office of Personnel Management, the Education Department, and the General Services Administration.
But DeRusha said the TMF’s zero trust investments came with some strings attached.
“The compact is we need it to be an enterprise good,” DeRusha said about the TMF investments. “What you learn from this, we want to pull back in and work with [the Cybersecurity and Infrastructure Security Agency] and others from the center point to learn those lessons. And it’s been really cool, because a lot of these agencies we picked up front, they’ve been in communities of practice we set up, engagements that we have with our industry or academia partners.”
The zero trust strategy puts a premium on enterprise identity and access controls, including multifactor authentication. It requires agencies to adopt “phishing resistant” authenticators, like those developed by the FIDO Alliance, in addition to the Personal Identity Verification card.
Adversaries can increasingly automate phishing attacks and successfully take advantage of text message codes and push notifications that are used as part of “conventional” multifactor authentication, according to Eric Mill, senior advisor to the federal chief information officer.
“We just can’t keep using these conventional methods, when we know how easily they fall when it counts,” he said. “So we’re really focused on opening doors, and knocking down barriers to taking the phishing resistant approaches that we have and making them work. And especially knocking down barriers to pulling in newer approaches, FIDO-based ones being the big family of them, and really making better use of those inside of the federal government.”
The strategy further directs agencies to integrate multifactor authentication at the application level, rather than through a network authentication mechanism, such as a virtual private network. “In mature zero trust deployments, users strongly authenticate into applications, not into the underlying networks,” the strategy states.
Mill highlighted a part of the strategy that directs agencies to identify an internal-facing application with a “moderate” security impact under the Federal Information Security Modernization Act and make it fully accessible over the public Internet.
“That raised some heads,” Mill said. “We really do anticipate the federal government having to grapple at the application layer more effectively than it has and to invest in that space.”
CISA is also spearheading a corresponding push for the private sector, especially technology companies, to adopt multifactor authentication across the board for their products and services.
“It’s a huge transition … when you look at the federal government footprint,” DeRusha said. “We still are pushing for MFA of any kind everywhere, while we’re also pushing for FIDO technology and phishing resistant, strong authentication. It’s going to have to be a balance based on risk as we’ve looked at the type of assets we’re protecting and where we put our efforts first, and investments and metric-ing and all that. It’s going to be a big transition.”