Top cybersecurity officials from the Defense Department (DoD), Federal civilian agencies, and the private sector laid out their developing strategies for zero trust security migration, cloud adoption, and meeting requirements of the Biden administration’s Cybersecurity Executive Order at an October meeting of the Foundation for American Science and Technology (FAST).
Emerging from the meeting was a much-needed dialogue between the public and private sectors for better collaboration, and a realization that while each Federal agency has its own mission and unique challenges, many share a similar focus.
Zero Trust and the Cyber EO
Executive Order 14028 on Improving the Nation’s Cybersecurity was released in May with nine sections outlining specific focus areas for security improvements. The EO places significant emphasis on zero trust security adoption – mentioning it eleven times. But six months after the order’s release, and despite several guidance documents from the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), Federal agencies are in many ways still grappling with how to best incorporate zero trust concepts into their overall security strategy.
While zero trust guidance provides a common roadmap, each agency faces the challenge of charting an effective course for adoption and layering zero trust onto its existing security strategy without disruption to mission sustainment. Despite the EO – and apart from a strong, proven use case as precedent – it can be difficult to make the first move, especially without dedicated funding.
Agencies are hoping that the criticality of zero trust, however, may provide an opportunity to break the traditional mold for procurement and implementation. They are pushing for changes to the requirements process with things like a lightweight or continuous Authority to Operate (ATO) – reducing the number of controls from hundreds to a few dozen core controls, and reducing the duration of the overall process. Sometimes referred to as a rapid ATO, this continuous authorization can allow software to be authorized once and used many times, providing the opportunity for security solutions to not just be used and shared across a single agency, but across multiple agencies as well.
Better security doesn’t just require modern solutions, it requires a modern approach for procurement, authorization, and adoption. Just as legacy tech can introduce security risks, legacy processes can allow pervasive security risks and threats to persist.
Cloud Adoption and Cyber in the Cloud
While many agencies were already leveraging the cloud in some capacity, the pandemic served as a forcing function that has propelled further adoption to satisfy requirements of accessing data and applications remotely. What’s top of mind now is consolidating and converging cloud instances for better security and visibility. Barring specific requirements for cloud adoption, and spurred by the need to maintain the mission, cloud management and security both now frequently fall to organizations to sustain independently. This has created a massive gap in visibility and increased risks for these organizations.
In addition to visibility, Federal organizations require a hybrid cloud model and cloud portability – the ability to move applications and data from one cloud provider to another, and to keep some critical data and applications on premise. Limited budgets are a key driver for the government’s requirement for portability and flexibility. Much like consumers shop around for the best value for goods or services, agencies have to use the service that represents the best value within their budget – and sometimes that means changing services.
Federal agencies at the October FAST meeting agreed with the idea that moving to the cloud will save money was a misnomer. While there may be some long-term cost savings and opportunities for improved efficiencies, the top drivers behind cloud adoption are mission requirements and the need for modernization and better security.
Modernization, Integration, and Continuous Authorization
IT modernization has been an ongoing effort across government for years, but in many cases, modernization really just means catching up as opposed to getting ahead. Government systems and networks weren’t architected for the cloud. Those that haven’t yet been modernized were built to support an on-premise environment, both in terms of IT operations and security.
While cloud adoption is but one facet of an overall modernization strategy, it’s a big one. From data transfer and data center consolidation to application and tools rationalization and retraining and retooling personnel, it’s a time-consuming and resource intensive process. And, because of the time required, the best-laid strategy for modernization and adoption might be realized as outdated by the time it’s fully funded and executed.
Federal and industry participants agreed that just as government needs to streamline procurement and ATO processes, industry can help reduce stove-piped solutions by providing integrated solution offerings. While Federal agency participants acknowledged the need to retire legacy tech, they also said they are looking for integrated solutions that augment what they already have, while complementing other new investments.
Solution providers selling to the government, of course, face the challenge of trying to provide Federal-specific solutions for a federated government that’s comprised of hundreds of individual organizations and sub-organizations.
While there are certainly some significant obstacles to implementing the necessary changes to meet the requirements of the Cyber EO, there are two clear actions that must remain in focus for both government and the private sector.
First, the mutual acknowledgement that legacy structures aren’t just limiting, but actually increase risk – not only in terms of technology, requirements, strategy and processes – but also in terms of technology and security expectations. Decisions in each of these areas that were made in years past may have been the best decisions at the time, but that doesn’t mean they are the right decisions for today’s environment. It’s never been more critical that the public and private sectors determine ways to overcome long-standing limitations brought about by precedent and political inertia, and demand improvements that exceed the current security status quo.
Second, there must be a willingness to assemble and speak candidly across the public and private sectors. Apart from transparent communication and a sincere desire to collaborate for the betterment of our nation’s security, progress will be difficult to realize for either sector. To that end, FAST will reconvene on Jan. 13, 2022 to continue the conversation and chart a course for tackling the hardest problems facing government.