Zero trust is far more than a cyber initiative, says SAIC’s Shawn Kingsberry, who encourages agencies to tackle it as an IT modernization effort. He shares three...
Zero trust, the centerpiece of Executive Order 14028 on improving cybersecurity, is best viewed as part of a modernization strategy, a set of principles for network and application design, and a guide to acquisition.
“When you look at the tenets or the pillars of zero trust, it’s all of the capabilities necessary to deliver an IT mission,” said Shawn Kingsberry, vice president of cybersecurity at SAIC.
Zero trust covers data, applications, infrastructure and identities. Given that, Kingsberry advises that agencies view cybersecurity as national security. He sees the challenges in getting to zero trust as analogous to the early days cloud adoption within the government.
“Zero trust is, in essence, one of the biggest opportunities that I’ve seen in my 22 years working for the federal government,” Kingsberry said. He said the main IT task for federal agencies is to “understand how to identify the risks, duplication and opportunities and turn those into prioritized projects mapped against this zero trust maturity model.”
Kingsberry offered three ways agencies can accelerate their journey.
Because the zero trust principles are universal and presuppose no access attempt should be considered trustworthy without vetting, agencies have an opportunity to share experiences and best practices while creating their zero trust architectures, he said.
Plus, the wide use of zero trust will enable greater sharing of data and applications, within agencies, across agencies and with partners, Kingsberry said. For instance, he pointed to the Energy and State departments as examples of multicomponent agencies that also deal with numerous international partners.
“When you implement zero trust standards, now you can collaborate in a way that it doesn’t matter if you’re inside the United States or out,” he said. “Or between agencies, you now know how to collaborate and exchange information — and with the right checks and balances.”
By building on the security standards laid out in NIST Special Publication 800-53 zero trust furthers the opportunity for government agencies to integrate and interact in secure ways when working together.
To help agencies take advantage of the software tools they already have in place, SAIC has developed a zero trust accelerator to provide guidance to customers as they develop their zero trust strategies, Kingsberry said.
“It’s a consultative engagement that actually leverages all of the products that every federal agency has,” he said. The accelerator accounts for authorities to operate, system controls and boundaries, security controls and other characteristics established within an organization. It compares this information against zero trust principles and NIST publications 800-53 and 800-207, which covers zero trust.
“Now, we can start to provide early benefit realization, to actually make decisions,” Kingsberry said. The accelerator analyzes an agency’s inventory of systems “and turn all of those risks, duplications and opportunities into prioritized projects using a mathematical algorithm to remove bias.”
As a former federal CIO, Kingsberry acknowledged that most IT staffs have pet projects, but the accelerator can provide an objective overview of what an agency should do first in terms of zero trust to improve its cybersecurity posture.
No two agencies have identical sets of applications, and therefore no two will have a matching list of priorities, he said. One agency might need to focus its attention on its financial system, another on a specific mission-related program.
Because every agency also commissions or develops new applications, an agency’s zero trust approach should encompass open source components and anything developed internally or by contractors, Kingsberry said.
Agencies will want to know two things, he said: “One, understand all of the dependencies of the applet or of the components that make up the application. Two, how can I have visibility of the potential exploitations that may be in this pipeline?”
The route to this knowledge is through software bills of materials (SBOMs).
Agencies also need to know “how do I actually get this bill of materials of all of the software that makes up the overarching solution?” Kingsberry said.
Solutions for ingesting and using SBOMs exist. “And why is it important? Because if you don’t connect those dots, you can have potential attack points that you don’t know about,” he said.
Ultimately, Kingsberry said, modernizing for zero trust and having visibility into all vulnerabilities and dependencies leads to what he called trust resilience.
SAIC embeds the processes needed to reach that resilience into a service that gives “clear vulnerability management of your pipeline, clear compliance and policy-based management,” he said, adding that it also audits events happening within the network.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Vice President of Cybersecurity, SAIC
Host, The Federal Drive, Federal News Network
Vice President of Cybersecurity, SAIC
Shawn Kingsberry is a vice president in the Digital Innovation Factory at SAIC. He leads teams focused on developing cyber solutions that protect our nation’s interests by enabling situational awareness, active cyber defense, and threat detection and remediation.
Kingsberry has more than 30 years of experience in information technology and has a diverse background in federal and state government as well as corporate technology leadership. He has extensive experience leading large-scale secure digital transformation and fostering productive partnerships with internal teams and external technology partners.
Prior to joining SAIC, Kingsberry led Global Advisory Services for Unisys and directed the development and deployment of secure cloud solutions for Engility.
Before moving to private industry, Kingsberry served as chief information officer for the federal Recovery Accountability and Transparency Board. In that role, he led successful efforts to provide transparency on stimulus spending and oversight of fraud, waste and abuse. He also oversaw the agency’s migration to the public cloud, the first federal-wide system to achieve that milestone. He is a recipient of the prestigious Fed 100 Award, recognizing his leadership at that agency.
He also held executive positions with the U.S. Department of Agriculture.
Kingsberry is frequent speaker and panelist who is recognized by senior industry and government leaders, peers and subordinates for his strategic mindset and leadership in the modernization of IT infrastructure to meet increasing security, data and citizen-services requirements.
Host, The Federal Drive, Federal News Network
Tom Temin has been the host of the Federal Drive since 2006 and has been reporting on technology markets for more than 30 years. Prior to joining Federal News Network, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.