The National Geospatial-Intelligence Agency is figuring out how to apply Zero Trust features to more than 1,300 systems and applications.
The variety and scale of those efforts require a different kind of technique for targets set through the intelligence network and the Department of Defense.
The Department of Energy’s goal of getting to 0 as a reality requires a workforce-first approach.
And the Consumer Financial Protection Bureau, the body tasked with enforcing the pillars of Zero Trust, is getting attention.
Join us on January 4 at 2 p. m. EST for a discussion with business and industry leaders on how knowledge strategy can consolidate project outcomes, sponsored through LexisNexis. Eligible CPE Credit
As the common chorus of this government initiative goes, there is no single path to 0 trust, but there is the same end goal: to fundamentally replace the way you manage your systems and data.
“One of the things we’re really focused on is how can we evaluate the integrity of Zero Trust implementations regardless of an advertising vendor’s express technology? How can we do this at a technological point and at a higher point, but also how can we expand the popular ones that allow us to evaluate the integrity of our acceptance as true with alpasrhythms within the policy resolution questions and policy drivers? How can we expand a popular measure so that it implies protection there and that it is just one of the spaces we study? said Donald Coulter, cybersecurity science advisor for the Department of Homeland Security’s Office of Science and Technology, during a recent panel at the 930Gov conference, an excerpt of which was broadcast on Ask the CIO. “We will look at how to improve 0 accept as true with fundamental features and technologies that go beyond what popular advertising implementations will offer in the near term, and we will look at how to expand context awareness and expand all related metadata in all formulas. and resources that we have to be able to express them through formulas, formula barriers and organizational barriers.
Coulter said the science and technology will focus on systems engineering and progression lifecycle criteria and how to bring them together, i. e. , from a chain-of-origin threat control attitude.
Among the questions asked through the S
This and the challenge of integration are at the heart of NGA’s Zero Trust strategy.
Monica Montgomery, deputy director of data security and deputy director of the NGA’s office of cybersecurity, said seven pilots are underway in the agency’s commercial architecture to address all the pillars of 0 trust.
“We have seven minimum viable products (MVPs) that are built around those other seven pillars, but they are broken down into another 91 Zero Trust activities and 170 business requirements,” he said. “As the systems go through this stage, the business control systems produce replacement requests (RFCs), which feed back into our solution journey. Therefore, we do not want to go to one or both programs. The systems are coming to us, and this gives us a wonderful opportunity to take a look at how we can use the investment that we have obtained from the Office of Management and Budget, the Director of National Intelligence and the Department of Defense, and appropriately allocate it and fund the services But that’s not our entire business, so we want to find tactics to access the smaller systems that need that investment and don’t have the means to do it themselves. This through our enterprise architecture and our solutions saga, I believe we have a unique approach.
NGA identified those minimum viable products based on a few criteria, adding enterprise-wide systems, how the functions meet the DoD’s Zero Trust and IC target activities, and how they can integrate other parts of the enterprise more quickly.
Read more: Ask the IOC
The final criterion, getting everyone on the zero trust bandwagon, can be one of the most difficult parts of the effort.
To that end, the Energy Department is requiring a minimum level of training for all employees.
Amy Hamilton, visiting president of the School of Information and Cyberspace at the National Defense University and senior energy advisor for national cybersecurity policies and programs, said investing in people and education is one of the most important aspects that 0 accept as true in the projects in power. .
“What the branch is doing is making sure that one user at each site in each cybersecurity program is specially trained in 0 trust. It was a huge initiative that required a lot of effort because a lot of times we don’t invest in other people and it’s more about getting a tool. So having those other people out there looking to do whatever we find very rewarding,” Hamilton said. “We decided to have a vendor go ahead and [create standardized education courses]. We also asked them to adapt in particular some of their knowledge bases so that other people could access a Rolodex. But what is done for the branch is to give us a lexicon not unusual, which also provides us with a deviation point.
NGA’s Montgomery added her agency is making cybersecurity a part of everyone’s job.
“It’s not the other 137 people who deal with cybersecurity. That’s not their job. It’s total agency, wherever you are, your job is cyber because of things like phishing and who you are, and you possibly don’t realize privileged access. that you have,” he said.
One way agencies are addressing the personnel challenges is through better software development, which lets leaders assign roles and responsibilities to users more easily.
Subscribe to our newsletter so you don’t miss out on anything similar to the federal government
Dr. Tiina Rodrigue, CISO of the Consumer Financial Protection Bureau, said her company is focusing heavily on the subfiduciary application pillar for this and other reasons.
He expressed fear about the dangers of the chain, as well as open source software, since the CFPB builds much of its own software.
“We’ve noticed this before with Log4J and everything else, that when vendors or open source communities have issues, we inherit them transitively. Part of what we’re looking at is to create our own product progression team to make sure that security is also a component of ideation and it’s a component of orchestration that we’ve built into cybersecurity from the beginning, because with our systems thinking approach, we recognize that we’re all interconnected and that those things will emerge dynamically with a lot of time. fewer warnings than before and without warning,” he said. Part of what we’re doing is building those relationships so that there’s a cybersynthesis across the board. That’s the main focus that we’re putting 0 trust in, because with those identity-related applications, tied to the network, to the devices, and to the knowledge itself, we can protect it all at the same time.
Weekly interviews with federal CIOs on the latest guidelines, challenges, and successes. Follow Jason on Twitter. Subscribe to Apple Podcasts or Podcast One.