Eric Sanders, CISO of the Department of Homeland Security’s Office of Intelligence and Analysis, and Michael Epley, Chief Architect and Security Strategist for Red Hat North America Public Sector, discuss zero-trust cybersecurity at this year’s GITEC Emerging Technology Conference.

May 03 2022

With Initial Plans Submitted, Federal Agencies Begin the Journey to Zero Trust

Deploying the new architecture by 2024 will be challenging but doable, say experts from the State Department, DHS and HHS.

Asked how often he’s approached by vendors who promise to deliver “zero trust in a box,” Eric Sanders, CISO of the Department of Homeland Security’s Office of Intelligence and Analysis, just sighed.

“A lot,” he said Monday at the GITEC Emerging Technology Conference in Annapolis, Md. “It’s a challenge. Everyone’s got something to sell. If I called every vendor back, I’d never get any work done.”

It’s one sign of the increasing activity around zero-trust cybersecurity. Another is the recent deadline for agencies to have submitted their initial plans for achieving zero trust: The Office of Management and Budget received those on March 27.

Federal agencies are required to complete those plans by the end of fiscal year 2024, according to the White House’s executive order on cybersecurity.

The top challenge to getting it done is resources, Sanders said.

“It’s not just money, it’s also the people and the products,” he said. “We already have a lot of tools. We don’t have an unlimited supply of money, so we have to make decisions about what best closes this gap.”

Click on the banner to explore more cybersecurity content by becoming an Insider.

Inventory Current Cybersecurity Tools to See What Will Work

“There are a lot of existing things in your portfolio that you can take and apply to zero trust, but not today,” said Michael Epley, chief architect and security strategist for Red Hat North America public sector.

That’s probably because of a second challenge, he said: understanding how to use and deploy zero trust.

“Zero trust is fundamentally how you make access control decisions,” he said. “And how you make those decisions is a business decision. Most organizations don’t know how they make those existing decisions today, or it’s in some guy’s head in the IT department. Zero trust says that’s not good enough anymore.”

The Inspector General’s Office for the Department of Health and Human Services has been communicating the message behind zero trust — that it enables stronger cybersecurity — to employees to help them accept the idea.

“We’re big on zero trust. We really worked with our customers, trying to help them understand it, trying to reduce the fear of it,” said CTO Nicole Willis. “It’s been a culture change.”

At the State Department, IT officials are taking stock of existing cybersecurity tools to see what items can be blended into a new zero-trust environment that will posts around the world.

“Because we’re so dispersed, zero trust is a good thing. In many countries, we don’t trust the networks that we’re working on,” said Landon Van Dyke, CTO for the State Department’s Office of Management, Strategy and Solutions. “It’s actually allowing us to harden certain activities which we otherwise, under traditional architecture, would not have been able to do.”

Among the tools the department is examining is SD-WAN “and how we integrate that with a new architecture,” Van Dyke said, “as well as different types of security measures that we’ve held on to as security blankets.”

VIDEO: See how the State Department uses smart building technology to make embassies run more efficiently.

IT Experts Must Convey the Danger of Not Adopting Zero Trust

Having a solid plan, such as those delivered to OMB in March, is key to a smooth zero-trust deployment, Sanders said.

“We’re all starting on the zero-trust journey from different points,” he said. “A lot of them have a second factor, at least, as part of their authentication process, and some don’t. You have to understand where you are before you can start off on a journey.

“You’re not going to have all the money you’re going to need to get to the end. There is no end, there is no finish line. It’s just constant progress.”

But without acceptance on the part of government users — the most important customers of zero trust — even taking the first steps will be difficult, Sanders said.

“We have a responsibility on the security side of the house to communicate the risks more effectively than we have in the past,” he said. “That’s why we make the business decisions that we do, because we’re not doing a good enough job explaining to business leaders why they should care about it more than they do.”

LEARN MORE: FedTech can guide you along the path to zero trust.

Elizabeth Neus

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.