The Office of Personnel Management is implementing a zero-trust security architecture faster because of the $9.9 million in Technology Modernization Fund dollars it received in September, according to Chief Information Officer Guy Cavallo.
Cavallo intends to use the funds to pay for zero-trust technologies identified through market research his office conducted in preparation for the money’s arrival, as well as consulting and support personnel that won’t just implement the products but integrate with cloud migration and service management teams.
The Technology Modernization Fund Board in September announced seven new projects in its first round of awards for agency IT modernization since the fund received a $1 billion infusion as part of the American Rescue Plan.
OPM wasn’t moving toward a zero-trust security architecture until Cavallo became CIO in March 2021, and once the TMF funding was assured, he had his office prepare contracts and procurements for the solutions it desired.
“We were going to do zero trust even without that money,” Cavallo told FedScoop, during ITModTalks on Wednesday. “It just would’ve taken me longer because — you know the budget cycle in government — I inherited a budget when I got to OPM that had been decided two years earlier without zero trust.”
President Biden issued the Cybersecurity Executive Order requiring agencies to begin adopting zero-trust security two months after Cavallo joined OPM, which gave him the leverage he needed to request additional resources he was already seeking.
Cavallo also oversaw the cloud migrations at the Transportation Security Administration and the Small Business Administration because of the cyber protections cloud provides. In leading three agency migrations in under 90 days total, Cavallo learned it only takes two to three cloud professionals who’ve done the work before either on staff, like when he brought SBA employees with him to OPM, or from outside, like 18F in TSA’s case or a cloud partner in OPM’s.
The technology leader breaks his cloud strategy into five teams: architecture engineering; cloud operations; service management, for governance and costing; service automation, for a continuous development pipeline; and migration. Security is embedded into all of them because otherwise a separate security team would take a year to approve everything at the end, Cavallo said.
At SBA, Cavallo had all information system logs migrated to the cloud, so the agency was no longer limited by on-premise hardware as to how many it could collect. Then SBA built artificial intelligence into its zero-trust initiative to improve its security posture.
“We are all under robotic, artificial intelligence-based attacks, and if we try to counter those with humans looking at security monitors, we will lose every time,” Cavallo said. “We have to up our game and fight those same resources with the same capabilities.”