Agency CISOs aren’t sweating a looming zero trust deadline

Federal agencies are up against a fast-approaching deadline on a slew of cybersecurity standards, but the security chiefs responsible for hitting those marks feel relatively optimistic about the Biden administration’s goal to implement a so-called “zero trust” model for IT systems. 

During panel discussions Wednesday at the Scoop News Group-produced Amazon Web Services Innovate Day, chief information security officers downplayed the Sept. 30 deadline on targets called out in the Office of Management and Budget’s zero trust architecture strategy, expressing both confidence that they will hit the goals and readiness to turn the page on the January 2022 memorandum. 

“The status of OPM zero trust is pretty darn good,” said Office of Personnel Management CISO James Saunders. While there’s work to be done at OPM on the data pillar of the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, Saunders said that “overall, I think we’re on track and on target to hit the end of this fiscal year goal.”

The Department of the Interior — and its 11 bureaus and eight offices — may not have had quite so smooth a path, but CISO Stan Lowe said the agency is in a good position with its adoption of “practical zero trust.”

“We’re always going to live in a hybrid environment where I’m going to have legacy applications,” Lowe said. “It’s an ongoing, continuous thing. It’s not a destination, it’s a journey, because technology is going to change.”

The “ongoing” nature of meeting the White House’s zero trust benchmarks was on display at Interior with its work on implementing phishing-resistant multifactor authentication — a callout under the identity pillar of the strategy. 

When Lowe, a Federal Trade Commission and Veterans Affairs alum, took over as Interior’s CISO in 2023 after several years in the private sector, he was greeted by “a lot of legacy stuff … floating around the department.” He quickly discovered that what worked for one bureau might not for another — at least in those early stages of MFA adoption.

“The requirement says ‘phishing-resistant MFA.’ Well, that wasn’t necessarily possible [for some offices], so my position on that in the beginning, until we got to the point, was any MFA is better than no MFA,” Lowe said. 

Tackling the zero trust architecture pillars has been filled with trade-offs and shifting strategies of that kind for agency CISOs. Saunders, for example, said funding was the “biggest challenge” for OPM early on, especially coming off an August 2021 OMB memo on logging that “did not come with extra money” for agencies.

A $9.9 million investment from the Technology Modernization Fund to OPM in September 2021 ultimately proved to be a game-changer in fueling the agency’s zero trust work.

Still, a lesson in budgeting and prioritization was learned. “For a lot of these new cybersecurity investments, we need to engage with our business [counterparts] because TMF is only going to support us for so long,” Saunders said. “And that’s a continuous conversation; continuous engagement was not something that was necessarily a strong suit of the cybersecurity organization at the time.”

Shane Barney, CISO at U.S. Citizenship & Immigration Services, described zero trust as “the world’s biggest unfunded mandate for a lot of organizations.” That changed for USCIS when “all of [the Department of Homeland Security’s] different director heads” got in a room and “actually prioritized it first — and it’s not a small amount of money,” Barney said.

“They recognized the connection between security and the business being successful,” he said, adding that zero trust essentially amounts to good “cyber hygiene.”

For any CISO given a mandate to implement agency-wide technical change, internal cultural resistance is a frequent roadblock. Lowe joked that the security organization within Interior has a reputation of putting “the ‘no’ in ‘innovation.’’ 

But Lowe is entering the zero-trust sprint to the end of fiscal 2024 feeling “pretty optimistic.” After Interior weathered the Ivanti VPN vulnerability earlier this year, the veteran CISO said he’s ready for whatever comes next in the federal government’s cybersecurity journey.  

“Having worked in organizations that are fully zero trust and having gone through that journey with those organizations, I know this is possible,” Lowe said. “It’s just gonna take some intestinal fortitude and some hard decisions along the way to be able to get this done.”