Ross Foard comes to his position at the Cybersecurity and Infrastructure Security Agency with experience. Lots of it. His long and storied federal career has landed him at CISA as an IT and information security specialist. “It’s probably,” he said, his “most rewarding” position to date.
Among other things in CISA’s cybersecurity division, Foard works in the Continuous Diagnostic and Mitigation Program (CDM). As part of that program, he’s the Subject Matter Expert on Identity, Credential and Access Management (ICAM).
“There’s really a lot of different aspects to digital delivery and everything centers on knowing the person to whom you’re going to be delivering the services, having some context for doing that,” Foard said onFederal Monthly Insights – Modernizing Citizen Experiences with Cloud Identity. “It differs between whether the services are being delivered to the public or to citizens, who are trying to acquire benefits from the government.”
Much of the work Foard does is helping agencies with delivering digital services to their customers and constituencies, like outside partners or people within their own organizations.
“The CDM program provides services for the federal government,” Foard said on Federal Drive with Tom Temin. “CISA has a responsibility for helping the Office of Management and Budget talk to agencies about cybersecurity.”
There is a broader vision for Foard and that is to secure a greater digital experience for people.
“We offer services that go directly to the public,” Foard said. “This past year, we’ve been really active in trying, at CISA.gov, to get information that all kinds of people can go to whether you’re professionals that are working in the cybersecurity field or whether you’re just someone sitting at home trying to figure out how to do something to protect your personal devices.”
Foard said in getting the word out for OMB, CISA publishes some strategies on Zero Trust and the CMMC, the Cybersecurity Maturity Model. Then there are the technical strategies, providing identity and access management.
“Companies and agencies had to try to adapt to doing work in different ways, brought on by COVID,” Foard said. “And every one of them has had to make modifications.”
One of the major ways many had to adapt in the federal government was to not rely on the PIV card, with new workers not having access to PIV cards or veteran workers not being able to get replacements.
“They had used other alternatives,” Foard said. “So in concert with OMB and really in fulfillment of a Zero Trust architecture, we’ve been helping agencies think about how to use not only their PIV cards, but some of those alternatives, when it’s not practical to use a PIV card.”
One of Foard’s main suggestions is very clear, a person, a company, or an agency needs to get access to services in a secure manner?
“We’re being really clear that those things should be phishing-resistant authenticators,” Foard said. “One of the characteristics of the PIV card is that it is not susceptible to phishing. And there are other tokens that you can acquire primarily from an organization called, ‘Fast Identity Online’ or FIDO, which provides phishing resistant authenticators.”