The Biden administration’s latest set of directives that aim to move Federal agencies toward zero-trust security architectures and more cloud adoption are receiving positive initial reviews from Federal IT officials, although leaving some to wonder where funding will come from for agencies to follow through on the directives.
The draft guidance documents released earlier this week by the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) provide the next set of road maps for Federal civilian agencies to transition to zero trust security concepts over the next three years, and to guide agencies to securely migrate to cloud services. Both of those goals form centerpieces of the Biden administration’s Cybersecurity Executive Order released in May.
The cybersecurity executive order and the subsequent directives are “exciting … and moving the Federal government and the nation in the right direction,” said Sheena Burrell, Deputy CIO at the National Archives and Records Administration (NARA), during an event today organized by AFCEA Bethesda.
At the same time, she said the order and the directives are “challenging because [they] didn’t come with a boatload of resources” to implement them. “That’s challenging for a small agency like NARA,” Burrell added. Because the annual government budget cycle and the cybersecurity executive order do not precisely align, “some of the agencies like mine really don’t have the resources” to take action on the directives, she said.
Speaking more generally about the goal of migrating to zero trust security architectures, Burrell said that zero trust “is a priority right now” at NARA. “We have already implemented some of the foundational elements of a robust zero trust environment, but we are not there yet.”
“Zero trust is going to be a journey,” said Mittal Desai, CIO at the Federal Energy Regulatory Commission (FERC). “The requirements are very extensive, and we are trying to dissect that out” to prepare for implementation at the agency,” he said.
Timely to FERC’s approach to implementing zero trust, Desai said, is the agency’s current planning to undertake application modernization which will involve moves toward low-code, cloud-based environments. He pointed out that zero trust implementation also involves user change management, and said “that’s going to be imperative for us to implement.”
On the funding side, Desai commented, “we are all going through the budget cycles,” and that FERC officials are applying for Technology Modernization Fund (TMF) support to help support cybersecurity work.
TJ Richardson, Deputy Director, Cybersecurity Operations at the Department of Health and Human Services (HHS), said her agency already has solid experience in moving toward zero trust security principles with several of its component agencies, which should help execute the White House directives.
“HHS has been at the forefront of working with zero trust models,” including through pilot projects at the National Institutes of Health and the Food and Drug Administration, including work on security logging. “We have been working within zero trust” and how those concepts work across multiple organizations, she said. “We are focused on the visibility that can be gained through centralized logging … we are excited about that.”
Shane Barney, chief information security officer at the Department of Homeland Security’s United States Citizenship and Immigration Services (USCIS) component, said his agency started on its cloud journey ten years ago, and reckoned that 85 percent of its systems already are fully or partially cloud-based.
He said the Biden administration’s draft policy directives focusing on zero trust are good developments because they “pull us back into a security discussion” that can then drive further engagement on security with agency leadership and networking teams.
Also on the plus side, the OMB policy directive released earlier this week, he said, removes from the discussion a focus on cybersecurity tools, and “focuses on architecture and design” for zero trust.
During a separate event today organized by NextGov, Commerce Department CIO Andre Mendes said his agency has been working on zero trust architecture designs for several months, and that the directives issued this week by OMB and CISA match up well with the work that Commerce is already doing.
“Everything I have read [from the directives] so far seems like a complete overlap between what we are doing and what they are recommending,” Mendes said. “We are in complete synchronicity.”
Sean Connelly, TIC Program Manager and Senior Cybersecurity Architect at CISA, said during the same event that OMB’s directive reflects the agency’s stance that there are “many paths on the zero trust journey.” He added, “there are different ways to achieve zero trust … but that is not the only way.”
Asked where agencies ought to start in grappling with the draft policy directives, Connelly advised agencies to respond to OMB during the comment period that runs through September 21 with the concerns or questions. “OMB really wants to hear about that,” he said.
Connelly also suggested that agencies begin practical zero trust steps on a smaller scale. “Do some pilots first,” he offered, adding, “every agency will be a little different with what they want to secure.”