The General Services Administration (GSA) is working on a series of playbooks for Federal agencies to use as they proceed with implementing plans to migrate toward zero trust security architectures, and expects to begin releasing those within a couple of months, a senior GSA technology official said today.
Kiran Balsa, Deputy Director of GSA’s IT Modernization Office of Government-Wide Policy, previewed the zero trust playbook work during a virtual event organized by DGI.
He explained that there is plenty of top-level zero trust policy guidance – including directives from the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) – available right now, but that GSA’s playbook efforts are focusing on ways that Federal agencies can go about implementing zero trust.
That playbook work is being informed by GSA’s efforts to partner with the Federal CIO Council “to shape what zero trust is” for Federal agencies, he said. “We are putting all of that information into the playbook.”
Balsa said he expects GSA to issue up to six different zero trust playbooks. Those will include a “base playbook,” and then additional publications on the pillars of zero trust security adoption including identity, device, application, network, and data. “There’s a lot there, but I think it can be distilled into simple terms,” he said.
“They are going to come out in the next couple of months,” Balsa forecast, adding that the playbooks will be hosted in a central location for agencies to access them.
Speaking at the same event, John Simms, Technical Advisor in CISA’s Office of the Chief Technology Officer, talked about various definitions of zero trust but said that the impetus for hurrying to get Federal agencies on the path toward the new security architecture “all comes out” the Solar Winds supply chain cyberattack that came to light in early 2021.
Asked about his views on some of the zero trust plans now being formulated by Federal agencies in response to OMB policy directives, Simms talked about one plan he reviewed that he said was “actually very good,” in part because part of the unnamed agency’s plan was to take advantage of cloud-native technologies.
Adoption of cloud services, he said, means that an agency “can enable a lot of the zero trust features that we are looking for,” he said. Simms added he was “absolutely encouraged” by the agency’s plan. “What they are doing in the cloud zero trust, that is a strong indication that they are headed in the right direction.”