The Interagency Zero Trust Leadership Steering Group is working to understand funding challenges that federal agency IT departments face as they implement zero-trust security architectures, according to Sean Connelly.
Speaking at the ATARC Zero Trust Summit on Tuesday, the Cybersecurity and Infrastructure Security Agency’s senior cyber architect said the group — chartered under the Federal Chief Information Officer (CIO) Council — meets about once a month to discuss how agencies are moving forward in spite of tight budgets.
The CIO Council has multiple working groups in addition to four principal committees. Working groups must be approved by the council’s executive committee, have a clearly defined scope and goals and deadlines for the completion of deliverables.
Ever since the White House issued the Cyber Executive Order in 2021, requiring agencies to submit zero-trust security architecture implementation plans, CIOs and chief information security officers have expressed concerns the money isn’t there.
“We are starting to see agencies receive funding toward zero trust initiatives,” Connelly said.
A voting member on the Technology Modernization Fund Board, he pointed out that the U.S. Agency for International Development was awarded $5.6 million Aug. 3 to accelerate its transition to a new identity, credential and access management (ICAM) solution.
USAID now estimates more than 50% of users will be onboarded to the passwordless technology by fiscal 2024.
“TMF funding will allow USAID to accelerate its zero trust initiative across an anytime, anywhere organization of over 13,000 end users worldwide, improve customer experience, and reduce mission risks as it helps execute the administration’s foreign assistance and development priorities,” said Paloma Adams-Allen, deputy administrator for management and resources, in the announcement.
Other avenues agencies have for cost-effective implementation of zero-trust security include CISA’s Federal High-Value Asset program, which helps them protect their most sensitive data, as well as Trusted Internet Connection (TIC) 3.0 overlays.
Connelly manages the TIC program, which provides agencies with modern security architectures for protecting their IT environments through use cases complementing the five pillars of the Zero Trust Maturity Model. TIC overlays let cyber vendors map their services to the program’s capabilities.
Vendor assistance is also key to modernizing the Federal Risk and Authorization Management Program (FedRAMP), which the TIC team coordinates with and has seen an increasing number of cloud services authorized to use the most sensitive, unclassified data.
“We’ve seen a number of FedRAMP High baselines have started to be accelerated as agencies are moving some of the most sensitive data to the cloud,” Connelly said. “It’s critical that the vendors are able to provide these types of services to help the agencies as they move to TIC 3.0 and [Secure Access Service Edge]-type solutions.”
CISA, together with the Office of Management and Budget and U.S. Digital Service, continues to review agencies zero-trust security architecture implementation plans to understand their needs and gaps, as well as challenges across agencies.
That information is relayed to the CyberStat working groups that CISA hosts once or twice monthly for about 600 federal officials and contractors to discuss implementing the pillars of zero trust: identity, devices, networks, applications and workloads, and data.
“I think we’re helping agencies move forward as well as we can,” Connelly said.