Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
About the time the Office of Management and Budget released its draft zero trust strategy last week, Mittal Desai, the chief information officer at the Federal Energy and Regulatory Commission (FERC) was presenting his fiscal 2023 technology budget submission to the agency’s chairman and other leadership.
Desai said the first question FERC Chairman Richard Glick asked wasn’t about topline numbers or the significant increases to modernize applications and networks.
Insight by Exterro: Capt. John Henry, operations officer of the USCG Cyber Command, discusses how the Command prepares for and responds to cyber incidents. Justin Tolman, forensic subject matter expert at Exterro, will provide an industry perspective.
“The first question he asked was ‘do we have enough adequate security protections and do we have enough services in there to make sure we can protect our assets?’ Just hearing that from him is something that we know from the top just how important security requirements are,” Desai said during Sept. 8 panel sponsored by AFCEA Bethesda chapter. “They fully understand IT budgets are going to increase, these threats are frequent, these threats are constant and how do we adapt to be agile to protect our data assets?”
And it’s not just the leadership who are recognizing the need for better cyber protections. Desai said the program offices also better understand the importance of cyber protections for protecting not just agency data and networks, but their users too.
That understanding is what will make OMB’s zero trust strategy successful. Not the technology from the dozens of vendors who love to talk about zero trust; not the agency technology leaders making zero trust a key talking point and definitely not lawmakers asking ill-informed questions about “this zero trust thing.”
“As security threats continue to grow in frequency and magnitude, federal IT and cyber leaders have a responsibility to collaborate with non-IT stakeholders to meet OMB’s goals. When speaking with program managers about these mandates, I encourage federal IT and cyber teams to illustrate how the improvements in security that come with a zero trust architecture directly benefits their agency’s mission, resiliency and digital acceleration,” said Jonathan Alboum, a former CIO for the Agriculture Department and now a principal digital strategist for the federal government at ServiceNow.
Like many new cybersecurity initiatives, agencies don’t necessarily have immediate funding to pay for the first year of the effort, and year two and three are dependent on Congressional appropriations. While lawmakers have shown a propensity to fund cybersecurity efforts, it’s unclear whether every agency will receive enough money to meet OMB’s goals.
Karen Evans, the former administrator of e-government and IT at OMB and CIO at the Homeland Security and Energy departments, said there are ways to fund the cyber priorities within current and upcoming budgets.
“Due to the new administration and because of the SolarWinds incident, departments would have updated their budget request, different than what was submitted during the previous administration. So, additional funding should have been added to the fiscal 2022 request, which we will see what is appropriated by Congress and they have been supportive of increasing budgets for cybersecurity,” Evans said in an email to Federal News Network. “If a department did not modify their 2022 request when they could have, then they need to reprioritize on the basis of the cyber executive order and the strategy. Then, OMB is asking for a budget estimate, this is what would need to be updated and/or what they are going to submit now for 2023, which then, will go into the review cycle for the President’s budget 2023.”
In the Biden administration’s 2022 budget request to Congress, agencies asked for more than $20 billion for cybersecurity efforts, including $9.8 billion for civilian agencies, which this draft zero trust strategy is focused. The civilian agency request is 14% higher than in 2021.
Evans has said many times over the last 20 years that while it’s hard to move money from one initiative to another, it’s possible and takes leadership from the CIO, CFO and other executives.
Alboum added that while OMB promotes the use of the Technology Modernization Fund to help fund these cyber changes, that approach will not be nearly enough.
“As part of this process, all CIOs should consider investments in automated tools for hardware and software asset management. Deploying these capabilities create greater visibility across the enterprise, allowing agencies to account for all their IT resources. This is foundational to successfully implementing zero trust architectures,” he said.
Shane Barney, the chief information security officer at the U.S. Citizenship and Immigration Service within DHS, said at the AFCEA Bethesda event that the draft memo gives him and others in the technology community the ability to drive the cybersecurity discussion in a new direction for leadership.
“What I appreciate most about the OMB memo, which is out for draft and comment right now, it pulls back to more of an architectural-based discussion. It’s really driving us toward understanding what our enterprise looks like, what we understand the defined trust to be, what we understand to be important within our enterprise, and, ultimately forcing us to recognize the end state goal of a zero trust model is to place your entire enterprise on a public internet,” he said. “It has been something that I’ve said numerous times and get various levels of reaction from. But having OMB state it even in a draft policy is revolutionary and welcome because it’s going to give us the ability to drive those discussion with our networking teams and talk with our leadership about what this means.”
The architectural discussion with senior leaders is never an easy one, but necessary when it comes to implementing zero trust, which impacts everything from identity and access management to application access and protections to data sharing. All of these changes will directly impact mission or programs.
Mark Forman, the first OMB administrator for e-government and IT and now executive vice president of Dynamic Integrated Services, said the draft strategy does a good job extending the discussion beyond just the zero-trust architecture to take a more comprehensive look at modern network and application design.
“Security guidance has always helped in government IT by forcing a true accounting of assets, applications and devices and this memo should result in the same,” Forman said in email to Federal News Network. “I think it also signals a clear shift in funding away from architectures built on the basis of the ‘cyber kill chain,’ which was expensive and ultimately ineffective. The shift back to systems instead of networks is probably good since, at the end of the day, Solar Winds showed us that if systems are not secure, neither is our data or government processes running in systems on those networks.”
Forman, Evans and others generally praised the memo, but also recognized it still needed some work.
For example, Forman said even with one of the draft strategy’s pillars being application security, it doesn’t talk about the need to build zero trust concepts into the DevSecOps process.
“I think this is obvious lesson learned if the government is to improve cybersecurity,” he said. “There are three issues facing agencies in adopting and deploying zero trust architectures where the memo needs some better guidance. Transitioning agency applications to use zero trust instead of role-based access controls (RBAC) is a huge and expensive endeavor, and although the memo never specifically calls for replacing RBAC with zero trust it is inferred throughout. In addition, a core problem in the applications arena is custom interfaces that are hard to manage and keep secure (e.g. patches). The interfaces are key in deploying a zero trust architecture, but few applications owners are willing to give up their customizations let alone pay to replace them. And, of course, having agency political and program leaders maintain active support for this transition is almost impossible without a strong governance model or innate desire and knowledge by the department or agency head.”
Alboum added the focus on data throughout the memo is important because if agencies don’t know what exists, where it exists and how valuable it is to the mission, they can’t protect it.
“Federal cyber teams may not have the right safeguards in place if they don’t understand how information is used within their organization. They must understand how the work flows to accomplish the mission, so they can apply the appropriate zero trust architecture protections,” he said. “CIOs need to prioritize zero trust architecture projects based on risk, data sensitivity and related security priorities. An agency can’t adopt a zero trust architecture all at once. By leveraging their existing high-value asset program, agencies can prioritize systems and datasets that are most in need of zero trust architecture protections and apply the right security measures that can mitigate threats against our nation’s critical infrastructure.”
USCIS’s Barney said from his perspective there are parts of the draft strategy that need clarification, particularly the part about segmentation of networks.
“If you are in cloud you already are pushing that boundary and you need to manage that or you will pay a terrible price. I would love to see requirement for no humans in the production along those lines. Humans in production should be a break glass event, something that is an emergency. You are moving product into production should be an automated pipeline. That is what we should be doing as good organizations,” he said. “I would like an extra layer added for token-based authentication, not just multi-factor but multi-tier. In other words, if you have certain accounts, like domain-level accounts, people that have rights to your organization, adding another layer of tokenization there really adds to the level of security and it’s removed and separate from your regular based privileged user access.”
He said this added token would help protect against another SolarWinds style attack.
Barney also said he would like to see OMB clarify language about privileged agent use, especially with specific cyber tools, and what mitigation factors, including the monitoring and risk-based scenarios are needed.
“There is probably some need here … to add teeth,” he said. “Giving me the ability to go to my leadership and say ‘we need to make this a priority because OMB says we have to make this a priority,” really does help us at different levels. It helps us prioritize funding levels, and in meetings with budget folks.”
Evans said that “teeth” should come from the Cybersecurity and Infrastructure Agency (CISA) with OMB’s assistance. She said it’s clear the memo is different from the past in giving CISA the authorities to manage this initiative.
Funding, constant and consistent oversight and long-term accountability are what will make agencies change, let’s see if OMB and CISA has it in them this time around.