Agencies Are Overhauling Security; Others Focus on Specific Goals
Such collective efforts got a boost last April when the Cybersecurity and Infrastructure Security Agency published version 2.0 of its Zero Trust Maturity Model. The model offers agencies a comprehensive blueprint for implementing zero trust principles across five “pillars,” but leaves it to agencies to establish their own particular path to meeting zero-trust goals.
“Federal agencies find themselves at various stages of zero-trust implementation,” says Michael Duffy, associate director for capacity building in CISA’s cybersecurity division. “The model has accelerated diverse responses, with some agencies opting for comprehensive overhauls of their architectures and cybersecurity posture. Other agencies are adopting a more focused strategy, concentrating on modernizing specific pillars.”
Duffy says agencies have trended toward prioritizing identity solutions, especially as they aim to bolster their overall security posture while creating a seamless digital experience for employees, citizens and agency partners. Many are also focused on data tagging and categorization.
“As agencies continue to migrate toward zero-trust architectures, their mindsets must shift to a data-centric approach to cybersecurity,” Duffy says. “This is the pillar where we have the most to improve.”
OPM’s current priority is inventorying data. The agency collects and maintains data for roughly 13 million government employees, retirees and their family members. It recently identified a solution to automate its enterprisewide data inventory and classification capabilities, pulling in massive amounts of information and applying artificial intelligence to help secure it.
At the same time, it’s coordinating zero-trust efforts with its cloud migration strategy, ensuring the two complement and strengthen each other. OPM’s cloud journey is based on Microsoft Azure, and its zero-trust journey utilizes much of the Azure security stack, Saunders explains, including Microsoft Entra ID for cloud-based identity and access management and Microsoft Sentinel for security information and event management.
“And while our zero-trust journey is highly coupled with our cloud journey, we still need to make sure that we’re zero trust in our legacy and on-premises technologies,” says Saunders.
For OPM, like other agencies, that means mainframes. “We’ve found ways to leverage some of our cloud technologies to put what I’ll call a protective shell around the mainframe,” Saunders says. “That way we can enforce modern controls to get into that environment even if we can’t directly embed them into the heart of the mainframe.”