GSA official touts cyber posture as agency considers passwordless environment

As the clock winds down on the deadline for federal agencies to implement various zero-trust architecture measures, the General Services Administration is cruising to the finish line and eyeing new cybersecurity priorities. Completing those requirements ahead of the Sept. 30 end date was made possible by the agency starting its zero-trust mission “many years” before the 2021 cybersecurity executive order, its top IT official said in an interview.

Dave Shive, GSA’s chief information officer, said in an email to FedScoop that the agency was able to meet those 2021 cyber goals by developing a software strategy that was “closely aligned with” the order and the corresponding Office of Management and Budget guidance.

Shive touted the agency’s cybersecurity posture at the Billington Cybersecurity Summit in Washington, D.C. last week, announcing the GSA’s consideration of a passwordless environment for internal agency processes. He later confirmed to FedScoop that this would be part of an effort to offer an enhanced authentication process. 

Shive also claimed responsibility last week as one of the agencies that federal CIO Clare Martorana credited with leading in Technology Modernization Fund investments for zero-trust implementation.

“The TMF award has been fundamental to GSA’s [zero trust architecture] implementation, arming GSA with financial resources to kick-start our zero trust modernization initiatives,” Shive told FedScoop.

During the event, Shive said the agency is thinking about employee experience improvement by considering a move to a passwordless environment, while also emphasizing the GSA’s aim to strengthen its cybersecurity posture. Shive told FedScoop that GSA IT is striving to offer “more streamlined authentication processes” as part of modernization efforts and to improve access to agency resources. 

In order to do this, Shive said the agency is leveraging part of its TMF award to modernize employee experience and “make strides towards a passwordless experience for our employees through implementation of modern directory solutions and cloud based single sign on.”

“As GSA employees engage in a highly collaborative hybrid environment, providing responsive, accessible, and mobile options for authentication supports a ‘total experience’ approach in IT solutions,” Shive said.

The CIO noted that this process is happening “while concurrently moving towards a zero trust environment.”

Shive told FedScoop that the agency is focused on “continuously strengthening our cybersecurity posture” through a “One GSA|ONe Cyber enterprise-wide” model for delivery. This approach focuses on measures that are the “most impactful,” Shive said, defending both digital and physical infrastructure, products, services and capabilities that the agency provides to the nation. 

“We have hybrid teams with both contractor and federal cybersecurity professionals that work collaboratively to advance our cybersecurity goals — focused on modernization through [zero-trust architecture], resiliency and driving down risks,” Shive said. 

Overall, Shive told FedScoop that compliance with the executive order includes modernizing through the adoption of both cloud services and the zero-trust architecture as well as improving agency detection and response to cybersecurity incidents, authentication and encryption. 

“While much has been achieved, there are still more opportunities,” Shive said. “We work now focusing on the application and data pillars of the zero-trust maturity model with the development of new application security capabilities to ensure more secure software development.”