Five months after the debut of the Biden administration’s sweeping Cybersecurity Executive Order, Federal agencies are “highly engaged” in grappling with the order’s mandate for migration to zero trust security architectures, both on the planning and funding fronts.
That was one of the top-line takeaways from Eric Mill, Senior Advisor to the Federal CIO, at MeriTalk’s Cyber Central: Defenders Unite virtual conference today. Mill joined James Saunders, Senior Advisor for Cybersecurity at the Office of Personnel Management (OPM), and Nick Kaufman, Regional Manager of Federal Sales at Cisco, to discuss agency progress thus far on the zero trust mandate.
“We’ve seen agencies being highly engaged with everything coming out of the cybersecurity EO and what it’s asking them to do, it’s affecting their priorities,” said Mill.
One of those impacts, he said, is on the funding front, where Federal agencies have rushed to make applications with the Technology Modernization Fund (TMF), which is looking to spread around the $1 billion of funding it received under the American Rescue Plan Act earlier this year, with a priority on security projects.
The Cyber EO, Mill said, has led to a “surge of proposals” to the TMF focused on zero trust and other cybersecurity issues. The zero trust component, he added, “is really the organizing principle for most of those proposals.” Earlier this month, the TMF Board announced $311 million of awards, including $60 million to three agencies specifically for zero trust work.
In addition to the funding picture, Mill said the Cyber EO is “creating a ton of helpful dialogue” with agencies about what it will take to succeed in the zero trust migration. “They’re asking us questions, they’re digging into the details,” he said.
“Some of the concepts involved – these are not the first time some of these concepts have come up within the Federal government or agencies – and it’s a matter of taking what they know and starting to really deploy it,” Mill said. “In other cases, some of these things are actually relatively new in the Federal space, and in some cases, to enterprise security generally. In that case, we’ll work through those things together and help address questions and make sure that some of the guides we give out reflect that.”
Saunders, whose agency received a $9.9 million award from the TMF to help with the zero trust transition, said OPM is assessing what architectural changes it needs to make, and is also figuring in zero trust progress that will result from further cloud service adoption – which is another central thrust of the Cyber EO.
“For us right now, it’s largely information gathering and looking at it from the lens of architecture change,” Saunders said. “You’ve got to be able to assess your current state, and what you have in place now.” Overall, the current effort “is really planning and figuring out how we get from our current state to our future state,” he said.
“The good news is we are not starting at zero,” he joked and explained that OPM is looking at the zero trust migration through the lens of its larger IT modernization plans, including further cloud service use. He said the agency will use its new TMF funding “to enhance areas that we’re probably not so strong in, so that we have a well-rounded zero trust program.”
Saunders pointed out that the Cyber EO also places a large emphasis on continued cloud migration, and said that OPM is mapping its way to the zero trust goal in some measure by moving additional systems to the cloud, so that “they are already part of the zero trust ecosystem … and that’s something we are moving on now.”
“For the systems that are not in the cloud, it will take a little bit longer to get there,” he said. “That’s why we need to go back and figure out how do we apply the same control concepts to potentially older systems or systems that have a longer lead time to migrate.”
Cisco’s Kaufman said his company is helping Federal agencies with similar planning processes.
“The biggest thing that we’re working with agencies to help them understand right now is what assets already exist that can be leveraged” to achieve the zero trust mandate, he said.
“Many of the principles of zero trust are not necessarily completely new,” he said, adding that the task at hand involves “identifying those systems that are going to require some additional modernization to meet the requirements of the executive order, or candidly, to be brought into the fold when you look at things like the definition of zero trust policy.”
“The biggest lessons that we’ve learned so far are that while there is really clear definition around things like identity and devices, networks, and applications, being able to map those things out and identify what toolsets may already exist, and what telemetry they can gain from things that they’ve already made investments in, is priority number one,” Kaufman said.
For agencies, he added, “understanding where their data is, how to classify it, and how to bring it in and along for the ride, knowing applications and data, really does rule what the outcomes are going to be.”
Asked about OMB’s stated goal to get Federal agencies to a common zero trust security baseline within three years, Mill said the draft zero trust strategy guidance issued by his agency last month aims to help clarify that pathway.
The strategy document – which remains to be finalized – is intended to help show agencies “the places that they should really start digging into now, upfront, so that by the time a few years has gone by, we see the real fruit of that work that has strengthened federal cybersecurity in a meaningful way raise costs to attackers by orders of magnitude, and shows that the government is capable of making these decisive changes to its architecture,” Mill said.
At the same time, he reiterated that OMB is meeting agencies where they are in the process, and not planning that “literally every single agency will somehow be 100 percent done with doing a total overhaul of their enterprise security in three years. We have our eyes wide open about the magnitude of the challenge, but there is a lot that we can do in that time.”
Mill added that some of the major tasks to zero trust implementation – encryption, multifactor authentication, among others – are not new concepts, but take a lot of effort to put in place.
“Those are in many ways about taking existing standardized practices, and the hard work is actually implementing them consistently in big sweeping complicated, somewhat decentralized enterprises,” he said. “We have no illusions that something that sounds simple on paper” will be readily accomplished by all agencies on the same timeline, he added.
Other portions of the zero trust migration – like internal data classification that helps enforce security rules – won’t be as simple as putting new solutions in place, he said. “There is a ton of enterprise-specific work and analysis that goes into that, and a lot of experimentation and a lot of iteration, and just smart work overtime, and the patience and endurance to see it through.”
“Those are those are places where we are trying to focus on especially when there’s a gnarly problem like that,” he said. “That is why folks need to start making progress on those things right now – so they have the foundation they need for the other things in the years to come.”
Commenting on the three-year timeline, Kaufman added, “the wonderful thing about deadlines is that they do spark action.”
“Really what we’re looking to do is help with progress, rather than perfection,” he said. “When you look at anything that you talk about when it comes to cybersecurity and risk reduction, anytime that any organization has taken that very widespread approach or tried to do a one-size-fits-all, it certainly results in either a failure or an utter lack of action. That’s really what we’re looking to help prevent,” he said.
For the whole conversation, please visit Cyber Central: Defenders Unite.