James Saunders, CISO for the Office of Personnel Management, is working to implement robust zero trust architecture.

Jan 29 2024

OPM, GSA, SEC Provide Updates on Zero-Trust Plans

With the Sept. 30 deadline for implementation plans nearing, civilian agencies are making their final moves.

When the Office of Personnel and Management secured $9.9 million from the Technology Modernization Fund to support its zero-trust security efforts, the agency was thinking big.

“We wanted to tackle it all,” says OPM CISO James Saunders of its journey to a zero-trust architecture. “Because if you tried to do it sequentially — maybe networks first, then data, then identity — it would take too much time.”

And for federal civilian agencies, the clock is ticking. Office of Management and Budget Memo M-22-09 requires them to meet zero-trust objectives by the end of fiscal year 2024. That includes implementing identity management systems and multifactor authentication, employing secure endpoint detection and response solutions and encrypting network traffic.

“From a priority perspective, we’re working on them all at once, with different teams involved,” Saunders explains. “Some are progressing faster than others.”

Some of the TMF funds went into expanding OPM’s cybersecurity team with experts in zero-trust implementation, and judging from the progress to date, Saunders is hopeful OPM will meet all its targets by the end of September. “Yes, managing the portfolio is one of the bigger challenges, but we’re all pulling in the same direction,” he says.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

Agencies Are Overhauling Security; Others Focus on Specific Goals

Such collective efforts got a boost last April when the Cybersecurity and Infrastructure Security Agency published version 2.0 of its Zero Trust Maturity Model. The model offers agencies a comprehensive blueprint for implementing zero trust principles across five “pillars,” but leaves it to agencies to establish their own particular path to meeting zero-trust goals.

“Federal agencies find themselves at various stages of zero-trust implementation,” says Michael Duffy, associate director for capacity building in CISA’s cybersecurity division. “The model has accelerated diverse responses, with some agencies opting for comprehensive overhauls of their architectures and cybersecurity posture. Other agencies are adopting a more focused strategy, concentrating on modernizing specific pillars.”

Duffy says agencies have trended toward prioritizing identity solutions, especially as they aim to bolster their overall security posture while creating a seamless digital experience for employees, citizens and agency partners. Many are also focused on data tagging and categorization.

“As agencies continue to migrate toward zero-trust architectures, their mindsets must shift to a data-centric approach to cybersecurity,” Duffy says. “This is the pillar where we have the most to improve.”

OPM’s current priority is inventorying data. The agency collects and maintains data for roughly 13 million government employees, retirees and their family members. It recently identified a solution to automate its enterprisewide data inventory and classification capabilities, pulling in massive amounts of information and applying artificial intelligence to help secure it.

At the same time, it’s coordinating zero-trust efforts with its cloud migration strategy, ensuring the two complement and strengthen each other. OPM’s cloud journey is based on Microsoft Azure, and its zero-trust journey utilizes much of the Azure security stack, Saunders explains, including Microsoft Entra ID for cloud-based identity and access management and Microsoft Sentinel for security information and event management.

“And while our zero-trust journey is highly coupled with our cloud journey, we still need to make sure that we’re zero trust in our legacy and on-premises technologies,” says Saunders.

For OPM, like other agencies, that means mainframes. “We’ve found ways to leverage some of our cloud technologies to put what I’ll call a protective shell around the mainframe,” Saunders says. “That way we can enforce modern controls to get into that environment even if we can’t directly embed them into the heart of the mainframe.”

How the GSA Is Changing Traditional Security

The General Services Administration is currently focused on three strategic building blocks that reflect CISA’s maturity model.

“We’re modernizing and redesigning our legacy Active Directory stack and aligning to a new identity, credential and access management target architecture to ensure secure authentication and identity validation for GSA staff, partner and public access,” explains GSA CIO David Shive.

“We’re also breaking down our traditional network perimeter–based approach in favor of moving security directly to users, devices, applications and data. And we’re focused on modernizing our security operations center and expanding it to also cover our governmentwide shared services.”

LEARN MORE: The Air Force is using microsegmentation to organize its zero-trust environment.

Shive says GSA has made solid progress toward its zero-trust architecture, including implementation of a new secure access service edge solution for connecting users wherever they work, achieving secure authentication, validating identities and negotiating access at the application level. SASE plays a key role in addressing CISA’s recommendation of employing microsegmentation to achieve zero-trust.

“Through our microsegmentation, where the network is divided into smaller, isolated segments, we’re limiting lateral movement within the network, making it more challenging for attackers to access sensitive data,” Shive says.

GSA has also implemented the full suite of tools offered through CISA’s Continuous Diagnostics and Mitigation Program, as well as CISA’s CDM Agency Dashboard for aggregating and displaying data about devices, users, privileges and vulnerabilities.

“Having real-time situational data and tools is critical for us to understand what is happening across our technical environment and to be able to use this data to proactively react and safeguard our IT assets,” Shive says.

Source: Swimlane, “Security Automation: A Strategic Imperative for Federal Agencies,” August 2023

Agencies Look to Balance Zero Trust and UX

Among the lessons GSA has learned in its journey to zero trust, Shive says, is the need for user education and awareness. Zero trust necessarily changes the way people access IT systems and resources, so prioritizing user experience without compromising security requires ongoing communication. “Change management and outreach to stakeholders are critical for success,” Shive says.

In fact, Securities and Exchange Commission CIO Dave Bottom believes change management could be a pillar in CISA’s Maturity Model.

“This is a continuous process. I don’t think version 2.0 is going to be the last one,” Bottom says. “Zero trust implies you’re going to introduce some friction for users. One of our challenges has been to make sure we’re engineering the customer experience with the right balance between friction and usability. We’ve certainly added some friction, but it’s the right amount.”

The SEC has also integrated its zero-trust journey into its cloud modernization efforts and is pushing hard to meet OMB’s requirements for this year. Among other efforts, Bottom says, the agency is working with providers to ensure it maintains a clear inventory of the data and assets it must protect.

“We’re operationalizing a shared-responsibility model to keep track across our multicloud environment and integrate zero trust,” he says.

Getting foundational zero-trust measures into place — what Bottom calls the “basic blocking and tackling,” such as identity management and multifactor authentication — has allowed the SEC to show significant progress. Such foundational measures may ultimately prove key to meeting OMB’s goals across the government.

“Planning for and experiencing early wins is incredibly important for an organization,” says CISA’s Duffy. “It helps the team refine approaches and best practices at a smaller scale and build confidence, which is key to the change management aspects of this effort. We encourage agencies to start with and implement what’s possible today, but also plan for future efforts.”

Photography by Gary Landsman

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.