Civilian and defense agencies have differing priorities in implementing their zero-trust security architectures, and they’re exploring a variety of avenues to fund their projects.
The Department of Health and Human Services Office of Inspector General is adjusting six foundational, zero-trust projects it identified based on the zero-trust strategy the Department of Defense released in November.
HHS OIG already has zero-trust technology procurements underway, though no deployments as of yet.
“We’re going to adjust that roadmap, based on the strategy that was released, because I like some of the 91 points that are in there,” said Chief Information Officer Gerald Caron, during the Fortinet Security Transformation Summit produced by Scoop News Group.
HHS OIG is “chasing” Technology Modernization Fund dollars right now, which would be a “gamechanger” for its zero-trust projects, Caron said. The agency recently entered Phase 2 of that process.
Meanwhile DOD’s CIO for cybersecurity is working with the Chief Digital and Artificial Intelligence Office to propose a data tagging and labeling standard before the end of fiscal 2023.
“That’s critical to get to the later stages of zero trust, especially if you want to go to advanced zero trust, especially if you want to get sophisticated in the visibility and analytics pieces of zero trust,” said Randy Resnick, director of the ZT PMO. “Because if you don’t know what data you’re sitting on, if it’s not properly tagged or labeled, it’s very difficult to do that analytics.”
The standard will also enable better data sharing across the enterprise.
DOD is in the midst of its Program Objective Memorandum cycle, where components seeking funding for zero-trust projects may place their requests, but they won’t receive the money for two years after approval. Resnick’s office is willing to offer bridge funding if the component can prove a “legitimate need,” give that zero trust is a “high priority” for DOD, Resnick said.
“I would suggest work with the portfolio office, and we will try to advocate for you for this year’s dollars, move things around,” he said.
U.S. Citizenship and Immigration Services is developing a more adaptive, fluid trust model because often a user or device on the network is simply trusted or it’s not.
Machine learning will soon be making those decisions and “driving a very different type of risk model,” said Chief Information Security Officer Shane Barney.
“You’re going to be adapting trust more in a real-time sense,” Barney said. “And it’s going to be taking a number of very critical factors that do that in your environment.”