Next steps on the cyber EO

By Troy K. Schneider

By Troy K. Schneider

|

With zero trust as a stated goal, agencies are mapping their strategies -- and funding plans

zero trust network
 

The May 12 Executive Order on Improving the Nation's Cybersecurity tasked agencies with an ambitious to-do list; one White House official said it represents a "fundamental shift in our mindset" from incident response to prevention. Equally important, the American Rescue Plan Act's $1 billion infusion for the Technology Modernization Fund means there is a plausible way to pay for some of those efforts.

FCW recently gathered a group of federal IT leaders to explore what those developments mean in practice — where agencies are focusing their near-term efforts, how existing security programs can adapt and when new investments may be needed. The discussion was on the record but not for individual attribution (see page 94 for full list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

A welcome forcing function

Most participants praised the executive order; several said it validated arguments they'd been making inside their agencies for years.

"You really need to look at using it as a forcing function to get after some of these things that departments and agencies have been told to do for close to a decade in some cases," one chief information security officer said. "Things like multifactor authentication and encryption — those things just should have been done a long time ago."

FCW Perspectives

Participants

Sean Connelly
TIC Program Manager, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security

Chris DeRusha
Federal Chief Information Security Officer, Office of Management and Budget

Drew Epperson
Chief Architect, Palo Alto Networks

Sanjay Gupta
CTO, Small Business Administration

Craig Hayn
Chief Information Security Officer, National Cancer Institute, Department of Health and Human Services

Mike Hurt
Vice President, Federal, Palo Alto Networks

Wanda Jones-Heath
Chief Information Security Officer, Department of the Air Force

Heather Kowalski
CIO, INTERPOL-U.S. National Central Bureau, Department of Justice

Oki Mek
Chief Artificial Intelligence Officer, Department of Health and Human Services

Tony Plater
Acting Chief Information Security Officer, Department of the Navy

William Salamon
Director, ICAM Shared Services Division, General Services Administration

Eric Sanders
Deputy Director, Cybersecurity Office, and Deputy Chief Information Security Officer for Strategy & Management, National Geospatial-Intelligence Agency

Greg Sisson
Chief Information Security Officer, Department of Energy

Don Watson
Chief Information Security Officer, U.S. Patent and Trademark Office

Robert Wood
Chief Information Security Officer, Centers for Medicare and Medicaid Services

Note: FCW Editor-in-Chief Troy K. Schneider led the roundtable discussion. The July 12 gathering was underwritten by Palo Alto Networks, but both the substance of the discussion and the recap on these pages are strictly editorial products. Neither the sponsors nor any of the roundtable participants had input beyond their July 12 comments.

"We're looking at it as an opportunity to step back, clean up some things that should have been pushed over the finish line a long time ago," another official said. "And then looking for ways to set conditions to really take zero trust architecture seriously, and really develop an achievable plan."

A third participant pointed to the push for cloud-based computing and aa cloud-based security model, calling them "pivotal points" that "will impact the federal landscape for years to come."

Another official, who said their agency had been somewhat reluctant to rethink its cybersecurity models, called the order "an all-out charge to permanently change and shift the way we're doing business."

There were cautionary comments as well, though. One participant pointed to "a challenging environment where a lot of our systems and work is done on the classified side."

"I know the EO would like us to get there overnight," that official said, "but the reality is it's going to take a very long time."

Next step: zero trust

Over the course of a 90-minute discussion, the group touched a wide range of tactics the executive order calls for — everything from software supply chain security and improved logging to standardized contract clauses that spell out vendors' security obligations. Again and again, however, the conversation returned to zero trust as a cornerstone for future security.

"We've experienced pretty serious events over the past six months," one official noted. "And I think what we're all seeing is, it is demonstrating that we need a new paradigm to address those risks. And I think to most of us zero trust is a pretty good framework that describes what we need to do."

Multiple participants said their agencies had been talking about zero trust for some time, but now were moving quickly toward actual implementation.

"It's accelerating things," one official said of the executive order. "I'm pretty excited about how now, holistically as an agency, we're pushing those things forward."

The executive order is explicit in its requirement that agencies develop plans for adopting zero trust security principles, but one participant said the unspoken goals are even more ambitious. "There is a plan behind this, which may or may not be clear in the words of the EO, that we want to use zero trust as the sounding call to push us into the right direction, where we all acknowledge that we just can't trust the integrity of our networks now," that official said. "And we have to do something fast and move with alacrity to start addressing that. And it will be imperfect, that's true, but I do think we're organizing around the right principles at this point."

There is some hype around zero trust, several participants noted, particularly when it comes to vendors trying to hitch their products and services to the topic. But they did not see the concept going away.

"I hear a lot about, is this a buzz word? And three or four years from now, is it going to be a different sort of paradigm?" one official said. "I don't think so. I've asked others if they think so and I haven't heard anybody who's explained to me how it would be a different paradigm in three or four years. So, I think it's the right thing for us to be driving towards — I don't think it's going anywhere for a while."

Finally, a funding source?

Re-engineering an agency around zero trust architecture is an expensive undertaking, and one that is not likely to produce clear cost savings the way some modernization efforts can. "The big problem becomes the money," as one participant put it.

The executive order's reporting requirements, however, could ultimately help agencies build a business case, one official noted. Self-assessments are being used by the Office of Management and Budget to inform a "strategy-slash-implementation plan, trying to describe where agencies need to be on a first order of capability," that participant said.

"If you look at a capability maturity model for zero trust, and you can describe the future plan, we want to put agencies on a roadmap for three- to five-year investment plans to get to that first capability level," the official said. "We're working at guidance to help make it clear what that is and how to do that. And I think what we're also going to work to address is to try to answer a very elusive question of, What is sufficiency in the cyber budget?"

Other participants said the conversations in their agencies were already changing. The executive order "has enabled me to really do some of that education," one official said. "When I come to the bosses and I say, 'Look, yes, we're modernizing our application, but I have to spend $100,000 on servers and switches because the current ones that we're using, I can't make the changes I need to make.' So I have found that to be helpful."

Another noted that some of the key spending may have already occurred. "A lot of the investments that have been made over the last several years are fundamentally aligned with the concepts of zero trust," that official said. "We should be able to reuse a lot of the investments that have been made to get us there. It's not a net new buy from the ground up to get us moving toward zero trust."

Some agencies have already requested supplemental funding in fiscal year 2022 to address the damage caused by the SolarWinds compromise; one official noted that "there were significant plus-ups at nine agencies."

For most agencies, however, the Technology Modernization Fund offers perhaps the best chance for efficient new cybersecurity funding.

"We got a billion dollars," one official said. "That's a lot of money. We relaxed repayment so that there is the opportunity under certain conditions to have very minimal repayment, which means it's not a loan. It's an investment that an agency can make. And we are definitely seeing people tie zero trust plays together in project proposals."

Several other participants confirmed that their agencies had either applied for TMF funding or were in the process of doing so. The more-flexible repayment requirements were a key incentive, they said.

Yet while many "security investments aren't going to save money somewhere" and allow for quick repayment, one participant stressed that there does need to be a longer-term opportunity to realize savings.

"It cannot be always net additive," that official said. "It should be more realistically net zero, if you look over a two, three, four-year timeframe. So I want to emphasize that that we should be looking at all investments, all upgrades, all modernizations, regardless of whether it's cyber or not, in that manner."

Room for further improvement

For all the cheerleading that the executive order received in the roundtable discussion, participants had their constructive criticisms as well.

"It feels to me that it's a little bit more leaning towards reactive," one official said. "If this incident happens, you should do that. That's all great, but I think, ultimately, we need to move into more proactive stance as opposed to a reactive stance."

"I'm not trying to suggest that reactive solutions, and models and clearly identifying who's responsible for what is not important," the official continued, "but I think we need to start moving into a either a balanced approach or ultimately tilting towards a proactive thing."

And while the group appreciated the emphasis on whole-of-government efforts, there was some concern that it sent the wrong message.

"There's reference to all of our partner agencies," one official said. "CISA, NSA, FBI. They'll do this, they'll provide this guidance. It's all great stuff, but I feel it's a missed opportunity to call out that regardless of what these partner agencies are doing to support us, the agency head ultimately is still not off the hook. They have to do everything that they can possibly do themselves to make sure that they are protected and they're doing everything to protect their organization."

NEXT STORY: FCW Insider: August 10, 2021

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.