HHS OIG took the Zero Trust Maturity Model a step further

Gerald Caron says his office developed a functional capabilities model to game out its move to zero trust.
Gerald Caron delivers remarks at the 2022 Zero Trust Summit in Washington, D.C. (FedScoop)

The Department of Health and Human Services Office of Inspector General developed a zero trust functional capabilities model to ensure it understood the strategy’s pillars before undertaking any projects, according to its chief information officer.

Gerald Caron said HHS OIG’s model consists of eight pillars, as opposed to the Department of Homeland Security‘s five, complete with functional capabilities — like loss prevention and segmentation under the data pillar and authentication and access under the user pillar.

DHS’s Cybersecurity and Infrastructure Security Agency drafted the Zero Trust Maturity Model in June to help agencies comply with the Cybersecurity Executive Order, but Caron finds some people still talk about the strategy like it’s solely the identity pillar.

“I start with the data,” Caron said, during the 2022 Zero Trust Summit presented by CyberScoop on Wednesday. “That’s what I’m protecting, that’s what the users are protecting, that’s what the bad guys want.”


That’s not to say the user and identity pillars aren’t important, but the first questions a cyber analyst will ask post-breach are what did the person have access to and was there exfiltration — data questions, he added.

HHS OIG’s model is changing the way its auditors and assessors evaluate IT systems because Caron watched one — with all its authorizations to operate and that passed all the National Institute of Standards and Technology‘s Security Program controls — totally fail on zero-trust controls and procedures.

“We’ve got to figure out a way to measure effectiveness and not just compliance because they are two different things in my eyes,” Caron said. “And that’s what we really want to be; we want to be effective at cybersecurity.”

The chief information security officer of U.S. Citizenship and Immigration Services, Shane Barney, echoed Caron’s sentiment that while there’s a place for compliance and it adds value, it will never be security.

USCIS threw out a compliance mindset when it “fell into” its zero-trust strategy through cloud migration about a decade ago, Barney said.


“I’m not going to knock the federal government; I love the federal government actually,” he said. “But we do so love our checkboxes, and we so love our scorecards.”

Once HHS OIG developed its zero trust functional capabilities model, the office compared it with DHS’s to identify gaps. HHS OIG asks vendors it works with to do the same.

That information serves as an input to HHS OIG’s roadmap with multiple objectives under each pillar. HHS OIG meets objectives through phased projects across every pillar.

Foundational projects include identity; data mapping, which entails taking an application and mapping all the data it handles to baseline what needs protecting; and implementing Trusted Internet Connections 3.0 to improve user experience.

“My users are part of my team,” Caron said.

Latest Podcasts