Zero trust, the centerpiece of Executive Order 14028 on improving cybersecurity, is best viewed as part of a modernization strategy, a set of principles for network and application design, and a guide to acquisition.
“When you look at the tenets or the pillars of zero trust, it’s all of the capabilities necessary to deliver an IT mission,” said Shawn Kingsberry, vice president of cybersecurity at SAIC.
Zero trust covers data, applications, infrastructure and identities. Given that, Kingsberry advises that agencies view cybersecurity as national security. He sees the challenges in getting to zero trust as analogous to the early days cloud adoption within the government.
“Zero trust is, in essence, one of the biggest opportunities that I’ve seen in my 22 years working for the federal government,” Kingsberry said. He said the main IT task for federal agencies is to “understand how to identify the risks, duplication and opportunities and turn those into prioritized projects mapped against this zero trust maturity model.”
Kingsberry offered three ways agencies can accelerate their journey.
Tactic 1: Share best practices and collaborate with other agencies
Because the zero trust principles are universal and presuppose no access attempt should be considered trustworthy without vetting, agencies have an opportunity to share experiences and best practices while creating their zero trust architectures, he said.
Plus, the wide use of zero trust will enable greater sharing of data and applications, within agencies, across agencies and with partners, Kingsberry said. For instance, he pointed to the Energy and State departments as examples of multicomponent agencies that also deal with numerous international partners.
“When you implement zero trust standards, now you can collaborate in a way that it doesn’t matter if you’re inside the United States or out,” he said. “Or between agencies, you now know how to collaborate and exchange information — and with the right checks and balances.”
By building on the security standards laid out in NIST Special Publication 800-53 zero trust furthers the opportunity for government agencies to integrate and interact in secure ways when working together.
Tactic 2: Take stock and then prioritize your to-do list
To help agencies take advantage of the software tools they already have in place, SAIC has developed a zero trust accelerator to provide guidance to customers as they develop their zero trust strategies, Kingsberry said.
“It’s a consultative engagement that actually leverages all of the products that every federal agency has,” he said. The accelerator accounts for authorities to operate, system controls and boundaries, security controls and other characteristics established within an organization. It compares this information against zero trust principles and NIST publications 800-53 and 800-207, which covers zero trust.
“Now, we can start to provide early benefit realization, to actually make decisions,” Kingsberry said. The accelerator analyzes an agency’s inventory of systems “and turn all of those risks, duplications and opportunities into prioritized projects using a mathematical algorithm to remove bias.”
As a former federal CIO, Kingsberry acknowledged that most IT staffs have pet projects, but the accelerator can provide an objective overview of what an agency should do first in terms of zero trust to improve its cybersecurity posture.
No two agencies have identical sets of applications, and therefore no two will have a matching list of priorities, he said. One agency might need to focus its attention on its financial system, another on a specific mission-related program.
Tactic 3: Get a handle on your supply chain
Because every agency also commissions or develops new applications, an agency’s zero trust approach should encompass open source components and anything developed internally or by contractors, Kingsberry said.
Agencies will want to know two things, he said: “One, understand all of the dependencies of the applet or of the components that make up the application. Two, how can I have visibility of the potential exploitations that may be in this pipeline?”
The route to this knowledge is through software bills of materials (SBOMs).
Agencies also need to know “how do I actually get this bill of materials of all of the software that makes up the overarching solution?” Kingsberry said.
Solutions for ingesting and using SBOMs exist. “And why is it important? Because if you don’t connect those dots, you can have potential attack points that you don’t know about,” he said.
Ultimately, Kingsberry said, modernizing for zero trust and having visibility into all vulnerabilities and dependencies leads to what he called trust resilience.
SAIC embeds the processes needed to reach that resilience into a service that gives “clear vulnerability management of your pipeline, clear compliance and policy-based management,” he said, adding that it also audits events happening within the network.