The Cybersecurity and Infrastructure Security Agency (CISA) is considering turning its current Trusted Internet Connections (TIC) program office into an office that supports Federal agencies as they pursue requirements from CISA and the Office of Management and Budget (OMB) to migrate to zero trust security architectures.
That was one of the top takeaways from Sean Connelly, who is TIC Program Manager at CISA and one of the driving forces behind helping agencies accomplish that migration, during a panel discussion on March 8 at the Zscaler Public Sector Summit in Washington.
“We are looking at how to transition the TIC program office towards being some type of zero trust program office,” Connelly said in reply to a question from Stephen Kovac, Zscaler’s vice president and chief compliance officer, who moderated a panel discussion featuring Connelly,
Brian Conrad, acting director of the FedRAMP program, and Leah McGrath, executive director of StateRAMP.
“This goes back to the NSTAC report that came out last year” that suggested CISA “look at setting up some type of zero trust office,” Connelly said. “So we are still working with OMB and other stakeholders and how to stand that up.”
Connelly said that move would “ideally” be part of another ongoing effort to set up zero trust training cohorts for Federal agency officials.
The CISA official explained that a few themes have emerged from his agency’s role in helping OMB to adjudicate zero trust implementation plans submitted by Federal agencies, including “they need help with budget, and they need training.”
“From the CISA side, we’ve already started to help with some of the training to understand what zero trust means – both to the executive leadership at the agencies down to the practitioner.”
“At CISA, we’ve had a number of cohorts – I think we’re starting the second cohort – the first one finished up with ten agencies, the second one with about 15 agencies,” he said. “We’re trying to help with the training.”
“But the bigger part is the budget, and the resource constraints around that,” he said, adding, “through a number of ways – I think this will be a primary way to catalyze [and] to help agencies as they are trying to move forward, the struggles they’ve had with some of the budgetary challenges before.”
Connelly noted that he is on the board of the Technology Modernization Fund (TMF), and said that Federal agency “plans are coming into the TMF board – again a way to augment or motivate or push those agencies forward in new ways that they haven’t been able to do before, it’s perfect timing.”
Asked by Kovac to offer predictions for the next one to two years, Connelly replied, “stay tuned … we’re coming out with a zero trust program office, agencies want guidebooks, playbooks, better understanding getting beyond just the large information books … more understanding of what agencies are doing so other ones can build off of that.”
Asked about the same future window, StateRAMP’s McGrath said, “I think you’ll see much more rapid deployment of StateRAMP by governments who are starting to incorporate that as requirements into their processes and procedures to work with suppliers.”
“I think expansion and working more with higher education and K-12 is where we hear a lot of demand and interest, so that will grow,” she said.
“And then thirdly, really trying to work toward harmonizing some of these requirements that flow down from Federal agencies to states and local so that we can continue to drive towards standardization to make it easier for suppliers to meet those requirements, but also for our states who are trying to validate them,” she said.
“Looking into the crystal ball, I’m going to say there’s going to be a greater focus on the Federal level around supply chain,” Conrad said. “We’ve seen this a little bit in the legislation – if you really dig deep and look, in there are independent assessors or third party assessors [that] are required now to report foreign ownership control or influence … so that that’s a pretty big deal.”