The Office of Personnel Management is replacing its virtual private network and firewalls for end users during the second phase of its $9.9 million zero-trust networking project, according to CIO Guy Cavallo.
OPM’s project spans the federal zero-trust strategy’s five pillars — identity, devices, networks, applications and workloads, and data — and will accelerate the agency’s adoption of a zero-trust architecture.
The project was made possible by the Technology Modernization Fund and will help OPM meet the requirements of the Executive Order on Improving the Nation’s Cybersecurity and move closer to the optimal stage of the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model while continuing to manage sensitive personal data for millions of current and former federal employees.
“We have projects well underway,” Cavallo says. “We purchased our software. We’ve started building our first zero-trust models.”
A Phased Approach to Zero Trust
OPM is working in four phases. Phase 1 involved evaluating zero-trust products, and Phase 2 is ongoing. Phases 3 and 4 are locking down the identity management model and managing data access, respectively.
That final phase is about locking down the data so that users have access only to the data they need. OPM will classify its data so users understand what level of access they have.
“It’s a data classification model, which is really going to be good for all federal agencies because it makes you look at what data you have and who should be able to see it,” Cavallo says. “I think it's going to help shine the light on some of that data that we collect as a government that we don't use and, really, what's the most important data to collect.
LEARN MORE: Why zero-trust architectures should include data protection, cyber recovery.
OPM Looks to Build Zero-Trust Best Practices for Agencies
OPM is also interested in generating zero-trust best practices throughout its project, Cavallo says.
The agency has already given CISA feedback on its early findings, which it’s incorporating into its zero-trust guidance.
“There are several different ways you can do zero trust, so it's not going to be one size fits all,” Cavallo says. “What we want to do is share our lessons learned with the other people that are following our vendor and our model so they don't have to reinvent the wheel.”
Click the banner below to learn how federal agencies are implementing zero trust architecture.
How OPM’s Zero-Trust Journey Impacts Its Cloud End State
OPM’s zero-trust project will affect everything it does in the cloud, Cavallo says.
Once a user is on the network, transitioning from the existing “high wall” model of unfettered access to a system that limits access by individual user will be “critical to improving our cloud’s cybersecurity,” he says.
The cloud gets federal agencies out of the role of patching and updating software, which is something the government struggles with, Cavallo adds.
Instead, that responsibility is put in the hands of cloud providers. Cavallo says he’ll be most satisfied when everything’s running in the cloud and he’s able to turn off both of his data centers completely.
“That will mean that I have my disaster recovery automatically built in,” he says. “I'm able to do elasticity when we have peak demands or things that are very hard to do with an on-premises data center and keep the cost reasonable logging in.”
