U.S. government agencies are taking concerted steps to implement a zero-trust architecture to protect critical systems and data. Those efforts include meeting specific cybersecurity standards and objectives by the end of Fiscal Year 2024 and referenced in directives and guidelines from the White House Office of Management and Budget (OMB), the DOD and the Cybersecurity and Infrastructure Security Agency (CISA).
But as they speed up their adoption of zero-trust security, they still face challenges with legacy applications and architectural gaps; compliance requirements; or financial and operational concerns. It’s not necessarily about adopting new technologies or products but rather an overall strategy that should be programmatically mapped according to each agency’s unique use-case requirements and capabilities.
That is evident according to federal leaders from nearly a dozen agencies who joined FedScoop to talk about their success thus far and the challenges as they implement zero trust. The interview series, Federal Zero Trust: Moving from Aspiration to Transformation, underwritten by Forcepoint, provided a platform for leaders to share their experiences.
“Taking the federal government in this significant shift towards the zero-trust paradigm is not a singular project; it’s not one thing; it’s a fundamental change to how we’re approaching federal agencies, their data and their security evolve. Our goal is to raise the baseline over the next few years, and everybody is starting in a different place with different parts of that journey,” says Mitch Herckis, director of federal cybersecurity in the Office of the CIO at OMB.
He explains that one of the biggest challenges is the “decades of technical debt that have been ignored” and how that manifests itself when agencies are unable to implement security measures. “It’s so important for us to think of this as a cohesive strategy in line with their broader IT development strategy, and how they’re thinking about not just their cybersecurity [budget] as a whole, and how they strategically invest that, but also how they’re investing in their overall IT modernization.”
The Department of Defense, meanwhile, recognizes that its security efforts set an example for the entire federal government. David McKeown, senior information security officer and deputy CIO at DOD, says, “we have an aggressive schedule. We want to be in alignment with the federal mandates called out in EO 14028 and the corresponding NSM-8, which is also going to cover zero trust for national security systems. We want to implement zero trust throughout the whole [department] by the end of FY27. We will stay in alignment in the near term with the three-year goal for the capabilities that are being called out there, but our zero-trust plan that we have right now is very well defined; we’re hoping to share that with the rest of the federal government.”
Although the DOD has a robust plan for traditional admin-type and command and control networks, they still have work to do on the weapon system and critical infrastructure front.
At the U.S. Navy, CISO Tony Plater details how they’re planning to implement zero trust principles across multiple networks, domains and functional silos. He also talks about working directly with the DOD Portfolio Management Office, so they don’t duplicate efforts and ensure greater synergy.
Plater shares his insights on the Navy’s move to Flank Speed, a single enterprise cloud environment for daily work. “Flank Speed is our core platform for extending our zero-trust architecture across the Navy enterprise….and we see it as meeting or fully integrating into the eventual zero-trust ecosystem requirements. Today, Navy users can access Flank Speed sources without using a VPN to connect to government networks. So that’s a big step forward for us,” he says.
Another agency that leveraged the cloud was the U.S. Citizenship and Immigration Services. CISO Shane Barney explains the agility of being 95% cloud-based and highlights how “[USCIS] started its zero trust journey many years ago, primarily because we were in the cloud; we recognized the value of cloud. And we recognize what we could do with the cloud, which would later become more known as zero trust; we just called it good cyber hygiene.”
He also discusses the importance of investing in security automation early. “Don’t make that one of the last things you do,” he says. “Make it the first thing you do because it’s much easier to add in the pieces of the puzzles as you go into that automation platform than it is to retrofit it in.”
Leaders understand the capabilities necessary to move forward in their journey, and each agency has different priorities to unify approaches across the pillars of zero trust to transform.
As Department of Labor CISO Paul Blahusch put it, “Zero trust is revolutionary, not evolutionary. It will take resources, technology, people and professional services.”
Other participants who shared their experiences in the video series include:
- Steven Hernandez, CISO, Department of Education
- Chezian Sivagnanam, Chief Enterprise Architect, National Science Foundation
- Stephen Haselhorst, Zero Trust Program Manager, FDIC
- Amy Hamilton, Senior Cybersecurity Advisor for Policy and Programs, Department of Energy
This video series was produced by Scoop News Group for FedScoop and sponsored by Forcepoint.