MeriTalk Q&A: VA CIO Kurt DelBene Talks Zero Trust, SSR

MeriTalk recently sat down with Kurt DelBene, chief information officer (CIO) and assistant secretary for information technology at the Department of Veterans Affairs (VA) to talk all things zero trust, Special Salary Rate (SSR), and his time so far as the agency’s CIO.

DelBene joined the VA in January 2022, after retiring from Microsoft, where he most recently served as the executive vice president of corporate strategy and core services engineering and operations.

However, DelBene is no stranger to the public sector. He also worked in the Obama administration on improvements to the Healthcare.gov enrollment website, as the senior advisor to the secretary of Health and Human Services.

As CIO, DelBene oversees the VA’s vast threat surface, which includes over 500,000 desktops at over 2,000 locations, interfacing with over 1,000 systems. In the following interview – edited for length – DelBene discusses his zero trust approach to staying laser-focused on cybersecurity.

MeriTalk: To kick things off, I know there are a lot of different interpretations and definitions for zero trust out there. What does zero trust mean for the VA?

DelBene: Well, at its heart I think zero trust is a simple premise. It’s you can’t trust that the network perimeter will be secure, that people have gotten so good at attacking it and getting in that you have to think about different ways to secure the enterprise. So, that comes down to one, how do you make sure that the people that are accessing resources are the people you expect them to be? How do you make sure that they’re actually accessing the computing resources from a device that’s actually safe – because the whole notion of getting onto a network and then being able to attack based on an already corrupted machine is a very real threat? And then it comes down to making sure that humans are the people that are connecting to these servers. And if they aren’t – because they’re service accounts – you use a high degree of discipline around managing those service accounts, moving them to something that is more trustworthy than name and password.

It then is also the notion that you should verify that the people who access the resources have a need to access those computing resources. And that you implement least privileged access, which says that when I get in, for instance, I get into the network, it doesn’t mean that I can access anything, it means that the only resources that I can access are the ones that I should be able to access because of my job. That’s an incredibly difficult thing to do because people move around – we have over half a million users. You can imagine the complexity of making sure that for each and every one of our systems, the only people who can access it are the people whose jobs require them to be able to have access to those resources. And then it also presumes that infiltrations are still going to happen. So, you have to be super good in terms of having great telemetry and great monitoring of the network to be able to identify these infiltrations that happen super quickly, and to remediate quickly. It even tests things like what is the fastest time that you remediate a particular vulnerability. That becomes part of the discipline as well.

Then the final thing is, in the same way that end-user devices are kept patched to a high level, every resource in your network has to be patched to a high level of whatever that standard is at a point in time – which changes as new vulnerabilities are found. As you can imagine, there are hundreds of thousands of computing devices on our network and that process of making sure that every one of them is up to that standard, that constantly changing standard, is a very challenging thing to do. But it’s all those things that combine but start with that simple premise that says the network as a perimeter is no longer a boundary that you can count on.

The final thing I’d say is it doesn’t mean that the perimeter is not part of your defense. Sometimes I think people are a little confused about that. That is still a place that you can defend upon, but it still means that you take additional steps and that your fundamental approach does not count on that as being universally trustworthy.

MeriTalk: A lot to dive into there. Going off of that, CISA’s Zero Trust Maturity Model includes five pillars of zero trust, how do you prioritize each pillar, and where is the VA in addressing each of those pillars?

DelBene: I think we’ve really focused not on a particular model – I know CISA likes that model and it’s a good one. But for me, it’s really been a transformation around what is the risk-based prioritization that really looks at the different threats that you have and prioritizes those in order of what we think the riskiness is. So, it’s the combination of doing it that way, of being very focused around what is the actual vector that somebody is going to get in that we think is the most concerning, and then targeting those with very concrete objectives that we have.

It’s really two pillars. One, there’s that of being very threat-based and very technical in your analysis of where those threats are. And then the second thing is allowing compliance and gates to actually manage the entire list of things that each one of these systems has to comply with. First and foremost, I think multifactor authentication is a critical one. And getting back to this whole notion of knowing your user. That’s all about making sure that that person is the person that you think it is. And so that even has two elements to it. That is the people logging into your network. We’ve got MFA [multifactor authentication] on 100 percent of those devices. And then it says that all of our systems use single sign-on that interacts with that network log-on to say ‘Yes, MFA is enforced on each and every one of those systems.’ And so first and foremost, I think that’s absolutely critical.

Then, it’s doing things like driving down service accounts to their bare minimum, making sure passwords get rotated on those accounts frequently, and so there’s a real sequence of things that we’re driving through. That’s very, very threat-based and risk-based. And then the second thing is, we’re very intensive around our compliance on each and every system and having checkmarks. For instance, have you done an audit of who can log into that system within the last 90 days? Just a really rigorous process there. And those two combined are the way that we think we’re going to drive forward most effectively.

The final thing I would say is that compliance is only good if you have gates that you’re enforcing that say you can only continue to operate in our network if you are at a good space in terms of compliance. And so we’ve really amped up our rigor around ATOs – or authority to operate – to make sure that those gates look both at how the system is doing on compliance, and what the residual risk looks like so that the authorizing official can look at it and say, ‘I feel good about having that on my network, or I don’t.’ I think it’s too easy to slip into this being an automatic process where people say, yeah, it looks like they’re making progress. We’ll allow them to renew the ATO. We look at things and say you know, we may only give you a 30-day ATO because you’ve got some processes that really need to get improved before we feel comfortable.

The final gate for us is the FITARA [Federal Information Technology Acquisition Reform Act] process. And I think FITARA is that opportunity to say one, is the contractor – and a lot of our work is done by external contractors, and we partner deeply with them – but are they using best principles in terms of managing the security footprint of the systems and the efforts that they deliver to the VA? I’ve really gotten the team to amp up both those things as critical gates that we need to use to make sure that we’re making progress.

MeriTalk: You mentioned FITARA, I want to talk about that a little bit. How is the VA leveraging FITARA to ensure its IT projects have a good cybersecurity plan in place?

DelBene: Sure. Well, I think of FITARA as having much more of an opportunity to manage as being that gate and that process where we manage what it is we’re acquiring from third parties. I am a big advocate of FITARA. I think everybody would say that within the organization. Things that I think are really critical are how has the vendor been performing. Do we have clarity around the product strategy? A lot of times things will come to FITARA review and it feels pretty squishy n terms of what are the requirements of the system? What are the stages of development and what opportunities do we have to review how that system is being built before we go to full deployment?

I really want to avoid a lot of big bang development where it’s like, we’re going to buy the whole thing at one time. We should do what we do in the commercial sector, which is we build the first prototype, we build the first minimum viable product, we assess whether that’s meeting the need, and then we have a conscious decision to roll that out. I think FITARA is a critical part of that. And we’re structuring milestones even on large projects, such that they have that first milestone that really assesses feasibility.

In the security space, in particular, does the vendor have good security practices, generally speaking? In a lot of cases, I’m approving FITARA actions for ongoing effort. And so you can look at have there been any security issues that we’re concerned about? Do we feel good about their compliance and things like ATO gates, etc? And so I think it’s much beyond just security, to be that gate of do we really feel good about this acquisition? I mean, I go into a FITARA review – and I have them weekly – and I want to make sure that every dollar we spend we’re spending it as if it’s a taxpayer dollar that is scarce. And that means focusing on the right thing and making sure we have a good plan with good gates to make sure that we’re making progress and it’s not off the rails.

MeriTalk: Right. I love that you have a FITARA review every week, that’s great.

DelBene: I have two of them today.

MeriTalk: A very timely topic then! Back to zero trust, because zero trust doesn’t have a set beginning or end – it’s not like you achieve zero trust all of a sudden one day – how do you create an implementation plan for zero trust because there’s not a set timeline?

DelBene: I think that’s a great question. First, I think if you think about the two things we do around one, driving good compliance, it’s the bedrock so to speak, which is the way you get that broad swath across all your programs saying if you’re going to come up to an ATO, you’ve got to meet this set of requirements. And that’s actually a way you can just diffuse it across the organization because there are so many system owners in the VA. We’ve got over 1,000 different systems that we manage, the scale is enormous. But your compliance is your bedrock or your ‘getting started’ so to speak, and that ATO being that gate.

But then the second thing is if you’re really focused on a risk-based approach, then we have to get together as a team and assess what are the particular high-priority goals we want to drive in this semester. And so we have OKRs [Objectives and Key Results] and we define OKRs in the particular security base, but we do it across the entire team. Those get updated every six months and change – some of them will persist. We may ratchet down the goal and it may be harder in the next six months. Some of them will say we’ve accomplished this and we’re moving on to another goal. So it’s this process of saying the most important things that we want to achieve in this semester are these, here are the OKRs we’re going to establish, we have some that are for the security teams in particular, and then we have some that we percolate up to the VA OIT organization, the entire organization – they’re kind of org-wide goals. And security is a number of those, and we review them monthly, and we make sure we’re making progress.

It is, to your exact point, it’s an iterative process. There is no way to actually validate the negative, which is you haven’t been infiltrated. In fact, you’re probably better off assuming you have been and figuring out how are you going to find those places that the bad actor has already gotten in. But again, we essentially rinse, lather, and repeat over and over and over again, by ratcheting up our goals that we’re accomplishing and changing the goals themselves to be that next check, click down of what we want to make progress on.

MeriTalk: Rinse, lather, repeat. I like that one.

DelBene: Actually, I think it’s lather, rinse, repeat.

MeriTalk: That would make more sense – lather, rinse, repeat. Otherwise, you’d still be pretty soapy.

DelBene: [laughs] Yeah, exactly.

MeriTalk: You mentioned goals. How are you tracking progress on your own zero trust goals and then as well as objectives outlined in President Biden’s cybersecurity executive order?

DelBene: Well, we have to report to OMB on the progress we’re making on goals in particular. They kind of do the same thing that we do saying ‘at this point in the level of maturity against the zero trust model overall, here are the things we want to make progress on as an administration.’ For instance, there’s a lot of focus on getting to 100 percent MFA compliance, both for end users logging in and for system login. I think it’s important to note that when you’re talking about some systems that are quite old, that second one around system login with SSO or with MFA – SSO basically you use a common system that implements MFA, and if a particular system uses SSO to sign on, or single sign-on, then it will inherit MFA so to speak – but some of these systems are so old you have to do MFA directly on the system itself. But there’s a tail, and I think we’re getting to a really good spot in terms of individuals logging in and using that MFA. There’s a little bit of a tail of older systems that we still have to work on to get them to MFA as well.

The other thing we do is we look for the most critical systems. We defined systems that we call our bedrock systems and our critical systems. The bedrock ones are the ones that everybody depends upon, and the critical systems are that next layer of most essential systems for the VA. You certainly ought to get to a point where both of those are doing MFA and doing single sign-on. And so again, it’s this process of figuring out what are the most important things for us to tackle and in what order.

Other things that are important at the OMB level are encryption at rest and encryption in transport of data. So, MFA has been a big focus for them, encryption has been a big focus for them as well. And we report to OMB so that they can have a universal view across the federation or across the Federal government on who’s doing well and who’s lagging. And they will definitely ask, every time we report something, I get a call from somebody at OMB saying, ‘Tell me a little bit more about this statistic,’ which I welcome.

One other thing that I think is interesting, we as an industry move towards this notion of adoption models. And everybody has their favorite adaption model that says, ‘You do this first, then you do this first.’ I actually don’t think that that’s the best way to think about the problem. And I think, again, you have to have deep technical knowledge in your organization that looks at your situation in particular and figures out where the real threat vectors are for your organization in specific.

For instance, when I came to the VA, I was like, ‘Wow, they don’t allow anybody to run as admin on their PC.’ At Microsoft, it was not that universal. We wanted to move to there, but we had a lot of developers who said ‘I want to be able to install anything on my machine as I want to be able to do.’ And that’s all the way down to kind of the driver level. Here, we don’t let people run as admin, so there’s a whole vector around phishing, taking over a machine, and moving laterally can be thought of as a little bit lower. You can’t rule it out completely, but it is a gift that we have that already has been established at the VA. And you don’t want to count on a perimeter security, but the perimeter security at the VA is actually pretty good, particularly when we depend also on organizations like CISA, who do external looks at who’s going after Federal assets as well. So, our situation may be different than a small business or a midsize, or a corporation that’s more on their own in that regard. We want to figure out, okay, we can count on that, but only to a certain extent, and let’s not get complacent there, but we have to factor that into how we think about the risks as a result.

MeriTalk: That makes sense. I want to shift gears a little bit, how do you hope the approval of the Special Salary Rate for IT specialists will impact VA’s workforce?

DelBene: We’re very excited about the SSR and thankful for the authorities we got through the PACT Act to actually implement the SSR. We did a survey in cooperation with OPM to see what the salaries look like for what are called Series 2210 employees or IT employees in the VA versus the industry. And it was pretty significant and stark, that gap between industry salaries and our own. So, what the SSR will do is just for that 2210 Series, bring everybody up to much more competitive with the industry.

I think we have an incredible charter and mission in the VA, a place where people want to work, but they also have to think about you know, I’m providing for my family, I have aspirations in my life, and one of the things this will do is erase that concern that people have that ‘Oh, I’d love to go and help veterans in health care and their benefits, lead fulfilling lives, but I can’t make that cut in my salary to do that.’ So, we expect that it’ll help make our jobs overall appealing and remove that objection. But it also has to be part of one piece of a broader set of initiatives to make this a great place to work. So I’m just as excited about saying, okay, what does it look like for an entry-level person to come into the VA and to OIT to start their career? In a lot of cases, 50 percent of the folks in OIT are veterans, and so it’s an exciting off-ramp from active duty into a place where you’re helping your brother or your sister that you were in arms with and now you’re helping them as they transition to civilian life.

But that has to be a career progression, and I need to be able to see that I would go from, you know, we were talking about cybersecurity, what’s the cybersecurity career progression look like from a new person in that field all the way up to super senior analyst in the security space.

We need to do work internally to clarify what those steps are along your career progression, and how do we provide experiences and education to move you along that, and at the end, if some of you exit and go to private industry, I consider that a win. I’d love to keep you in the VA. I’d love to keep you in the Federal government. But, if I’m also training great cyber or great IT professionals to join the private sector as well, that helps those people have fulfilling lives, and I think that’s great, too.

MeriTalk: This one is kind of a fun one to end on, but what is one key lesson or takeaway you’ve learned thus far during your time as VA’s CIO?

DelBene: Oh, my gosh, I didn’t expect that one. There are so many of them. I would say overall, where I have focused has been not on particular projects. I spent a bunch of time on particular projects and saying how do we get these to have a really clear line of sight and delivery. But to me, the thing I’m most passionate about, and I think folks in the team would confirm this, is how do we build a world-class IT development organization.

I think IT has historically been about purchasing systems, running systems, and talking to stakeholders being like order-takers. And that’s really in stark contrast to how software development works in the commercial sector. It’s actually more similar to how IT runs in the commercial sector, the IT organization, but I think the model of thinking about it as a product development team, where you have a product that you are delivering to your stakeholders, you have to have a vision for that product, and then come up with a roadmap that will be the most impactful, come up with resourcing that’s equivalent to that, or that helps you deliver on that, and that metrics of success. That’s how we ran product development in the commercial space, and that model to me is really, really appropriate for the transformation that has to happen in Federal IT and the transformation that has to happen actually in commercial IT as well.

So, for me, that is the transformation I worked on in my last role at Microsoft, it applies super, super well here as well. So I would say one thing, getting that affirmation I think has been great. And then I just think the passion that people have in this organization to serve veterans, it’s real. Coming from the outside you think, ‘a Federal worker, are they super focused on mission?’ This is an organization that is hyper-focused on mission and that’s been really energizing.

Cookie	Duration	Description
AWSALBCORS	7 days	Amazon Web Services set this cookie for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	New Relic uses this cookie to store a session identifier so that New Relic can monitor session counts for an application.
PHPSESSID	session	This cookie is native to PHP applications. The cookie stores and identifies a user's unique session ID to manage user sessions on the website. The cookie is a session cookie and will be deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_pxhd	1 year	PerimeterX sets this cookie for server-side bot detection, which helps identify malicious bots on the site.

Cookie	Duration	Description
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
__cf_bm	30 minutes	Cloudflare set the cookie to support Cloudflare Bot Management.

Cookie	Duration	Description
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
pardot	past	The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.
UID	1 year 1 month 4 days	Scorecard Research sets this cookie for browser behaviour research.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
__gads	1 year 24 days	Google sets this cookie under the DoubleClick domain, tracks the number of times users see an advert, measures the campaign's success, and calculates its revenue. This cookie can only be read from the domain they are currently on and will not track any data while they are browsing other sites.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
GoogleAdServingTest	session	Google sets this cookie to determine what ads have been shown to the website visitor.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
muc_ads	1 year 1 month 4 days	Twitter sets this cookie to collect user behaviour and interaction data to optimize the website.
personalization_id	1 year 1 month 4 days	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps differentiate between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
_mkto_trk	1 year 1 month 4 days	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__gpi	1 year 24 days	Google Ads Service uses this cookie to collect information about from multiple websites for retargeting ads.