Federal agency leaders agree that zero trust is a journey that will take time to implement but, with modern-day cyber threats, the sooner agencies implement zero trust the better.
During ACT-IAC’s “GSA and Agencies on EIS – Looking Ahead” event, Federal leaders discussed why zero trust is important and how the Enterprise Infrastructure Solutions (EIS) program ties into it.
“It’s going to take time for us to build out the right Federal infrastructure to support more modern type threats that we have,” Allen Hill, deputy assistant commissioner for category management at the General Services Administration’s (GSA) Office of Information Technology Category, said at the event.
“Moving to a zero trust architecture is the star that we’re moving towards, and each agency is going to be on different levels,” he added. “And so that’s where we should be focused is how do we move to that more secure infrastructure to ensure that we’re not only securing the data, but we’re providing the services that we need to do as agencies.”
Steven Hernandez, chief information security officer (CISO) at the Department of Education agreed that zero trust architecture will take time to implement, but also stressed there is no “finish line” when it comes to security.
“[Zero trust] certainly is a journey. And I think if we’re being fair with ourselves, we’ll never say ‘yeah I’ve completely crossed the finish line, zero trust is done.’ And that’s the point, the point is that we’re constantly evolving,” Hernandez said.
As for where the Department of Education is in its zero trust implementation process, Hernandez said his agency is currently focused on the Identity, Credential, and Access Management (ICAM) framework, non-person entities, and getting a control fabric in place, “including capabilities from EIS.”
“Probably furthest out for us is the AI machine learning because if we don’t have these other things in place and then we don’t have things like EIS in the control fabric, there’s really not much for AI and machine learning to do in the trust engine,” he added.
Hernandez said his agency is “very excited to move forward” in the zero trust implementation process, with the hopes of one day having AI in that space. For now, Hernandez is focused on risk visibility when it comes to zero trust.
“From my perspective as the CISO, it’s all about risk visibility,” Hernandez said. “So much of the conversation is, ‘Hey, why zero trust, why now?’ … and it’s a lot of these great leading-edge technologies. For example, software-defined perimeter, software-defined networking, the ability to change your networking fabric layer three and up on the fly, as needed, things that that trust engine can then dive in and influence, without the need for human intervention. And of course, that immediate reporting back, which is what I’m looking for, that risk visibility.”