Federal cybersecurity experts explained at a Nov. 8 ATARC event that the road to zero trust security is a long and often bumpy journey that their agencies are still learning to navigate, despite some being in the game for several years now.
Prioritizing certain pillars of zero trust security architecture over others is critical, said Miguel Adams, chief information security officer (CISO) at Millennium Challenge Corporation (MCC). “Don’t boil the ocean. This is a journey,” he advised.
Since MCC is still a relatively new Federal agency, Adams said, the organization is still in its educating and collaborating phase. MCC is teaching the vernacular of zero trust before jumping feet-first into implementing the security framework.
While the Department of Homeland Security (DHS) has been on its zero trust journey since 2017, the agency is still learning from its mistakes, said Shane Barney, CISO at the DHS United States Citizenship and Immigration Services (USCIS) component.
His advice to other agencies getting their foot in the door with zero trust is to start at the beginning and take it slow to make sure every step is executed properly – like identity and access, for example.
“If I were going to advise any of the Federal agencies I would say first invest in the basics,” Barney said. “Then invest heavily in your automation.”
“[Next], go to the cloud,” he continued, “My final word of advice is it really is a journey.”
“[USCIS is] probably further along than other Federal agencies, not because we’re so much smarter, but because we got forced into cloud, and technology forced us down that road. And we’ve made a lot of mistakes along the way,” Barney said. “Learning from those mistakes is really critical, so reach out to your Federal partners.”
Alyssa Feola, cybersecurity advisor for the General Services Administration’s (GSA) Technology Transformation Services (TTS) organization, offered that the road to zero trust can be viewed on a spectrum, and currently, the Federal government has fallen somewhere in the middle.
“It’s a spectrum,” Feola said. “[USCIS has] been doing this for a long time, and still have low-hanging fruit.”
In other words, the journey is going to be long and it’s not going to be easy, but it’s critical in the modern technology and security age.
Feola’s job at GSA is to help change existing government-wide technology policies so Federal employees aren’t as restricted when it comes to implementing cybersecurity changes like the move to zero trust architectures. It’s a continuous process she is actively engaged in, so the cyber expert is hopeful Feds will make significant strides with zero trust over the next five years – or even less.
“Understand that we’re in this chasm of maturity and immaturity all at once, and that zero trust is just cyber hygiene rebranded, but playing catch-up is the new thing,” Feola said.
“It’s an odd space to be in,” she continued, “I don’t think we’re going to be here for long.”