Zero-trust strategy will likely be different for each federal agency

As the federal government’s zero-trust journey continues, cybersecurity officials say they are working to review individual agency plans, harmonize implementation guidance and set up alternative standards to judge the progress of smaller agencies and offices.

Chris DeRusha, the federal government’s chief information security officer, said now that agencies have submitted their plans for moving to a zero-trust architecture, they will need to go through an Office of Management and Budget review, a process that is likely to lead to further changes and refinement.

“What we’re doing right now is going through those plans and making sure that they align to what we asked [agencies] to do in the memo, making sure that they’re sound plans working with the budget side to make sure that they have awareness, as well,” DeRusha said in an interview Wednesday after speaking at an event hosted by Institute for Critical Infrastructure Technology.

Agencies have been naming a mixture of CIOs, CISOs and other officials as their leads for implementation, and part of OMB’s process is evaluating whether those designated officials are the best fit for the job. The agency is also incorporating technical input from staff at the Office of the National Cyber Director.

Where possible, zero-trust items have been incorporated into respective agency budgets, but DeRusha said OMB and the White House designed the zero-trust mandates with a general three-year deadline in order to maintain enough flexibility to work through each agency’s unique IT environment.

“A reminder of why we did it this way as opposed to setting concrete deadlines for all the tasks in the memo is we wanted to be mindful of this [reality]," DeRusha said. “We understand that every agency is in a different spot in their journey across these five pillars in the strategy, and we really want to make sure that we have this opportunity to develop strong points.”

There’s also a challenge in synthesizing all the different guidance that agencies are receiving. OMB is leading the implementation of zero trust in the civilian federal government and has put out its own zero-trust outline that agencies must follow. Others have also weighed in, with the Cybersecurity and Infrastructure Security Agency, the NSA, the National Institute for Standards and Technology and military agencies like the Defense Information Systems Agency publishing or in the process of developing zero-trust guidance and strategy documents for downstream agencies to follow.

While some of these documents are meant to serve specific purposes (for example, CISA’s guidance is meant to help agencies reconcile their zero-trust tasks with the technical and cybersecurity maturity of their IT environment), they have also created a mash of documentation for agencies to ingest and some confusion.

According to CISA Deputy Director Nitin Natarajan, that diversity of resources is by design and part of a broader effort to collaborate with other stakeholders and achieve buy-in for the work ahead.

“The federal civilian enterprise is a wide-open space. A lot of people perceive it to be we just reach out to a bunch of CIOs, say ‘do X’ and it happens,” Natarajan said. ”But realistically, that’s not the reality that we’re in, so how do we make sure that we can talk about … where we need to go, what is the best way to get there and then how do we invest in that?”

Like DeRusha, he reflected on the need for a process that is measured and can take into account the unique budgetary, staffing and technology needs at each agency.

“You know, there’s not a magic checkbook in government, so how do we make sure that we’re resourcing these things effectively to get to success?” he said. “If we’re not resourcing correctly, we can’t get there from here. And the federal budget process is [slow], so how do we make sure we can get investments where we need them to be to really be on the forefront of that? It’s going to take some time, it’s going to take some prioritization and some commitment.”

Small agencies bring big cybersecurity challenges

One of the more complex challenges facing OMB and other agencies is figuring out how zero trust mandates will trickle down to smaller and mid-sized agencies. The federal civilian government is a vast empire of departments, agencies and offices, some with hundreds of thousands of employees and billions of dollars in spending authority, while others have only a few dozen employees and a budget measured in the millions of dollars.

It is often impossible to craft mandates that are relevant to the IT realities of the Department of Veterans Affairs ($316 billion budget) and the Selective Service System (with an annual budget of less than $30 million) and documents like OMB’s zero trust guidance are often developed with the former in mind.

Some have questioned whether agencies can really complete the work, which includes identifying every network connected device, implementing multifactor authentication and encryption, microsegmentation of networks, accelerating cloud deployments, deploying endpoint detection and response systems and more, by 2024. There is of course another event that is taking place around that same time which could be influencing that timeline: the end of President Joe Biden’s first term in office.

Greg Touhill, who served as federal chief information security officer under President Barack Obama, told SC Media that the timelines established aren’t impossible, but do speak to the reality that those in charge of implementing the plan may not be around to see it through past 2024.

“You’ve got to acknowledge the political realities and the ‘Cinderella strike of midnight’ aspects of the administration,” said Touhill, now director of the CERT at the Software Engineering Institute. “I think it’s certainly [achievable] — it’s late to need — but we’ve got to choose wisely.”  

Touhill said many smaller and micro agencies are simply not going to have the resources or staff to effectively manage the kind of technological requirements that will come with the cybersecurity executive order and zero-trust mandates. He has advocated for a managed security service provider (MSSP) model in government that can handle the cybersecurity needs of smaller- and less-resourced agencies and offices, and said the government must stop buying technology that requires months of training and a legion of cyber professionals to properly install, configure or manage.

“I do think for the small agencies out there, just like the small- or medium- [sized] business, having an MSSP type of relationship provided by one of those related-, larger- and better-funded agencies, might be a prescription for moving faster and providing better protection of the people’s information,” Touhill said.

DeRusha, for his part, has been singing the same tune since last year, saying that smaller agencies won't be judged by the same standards as larger- or mid-sized agencies when it comes to implementing the administration’s mandates. He told SC Media Wednesday that OMB hasn’t yet determined what those standards will look like, but as they get more data it will help them craft alternative options for implementation and budget needs.

“I think it’s too early to say [right now] but I will be very transparent that it will be different and we’re going to really work with the small and mediums to make sure that we come up with a successful plan, because it may end up looking different than for the large [agencies],” he said.