FCW Perspectives
a per-control basis? And how does it better my posture on these federal dashboards?” Only when those questions are answered will agencies have “the ammunition we need in order to pull the trigger on these solutions.”
There are signs of progress, though. In addition to CDM’s evolution and recent changes to the Trusted Internet Connections policy, participants pointed to the more collaborative approach CISA has taken over the past year.
“I think it bodes well for the federal government in general,” one official said. “Yes, leadership chases green — they’re incentivized to do it. But the green is sometimes the wrong green. The people who are writing those questions are now at least a little bit more open to figuring out what the right questions are.”
Focus on the outcome
(and start small)
Given the many complexities involved, most of the participants were focused on finding practical starting points rather than perfecting the larger framework.
As one official said about adopting zero trust: “At the end of the day, I’ve got to be able to answer one question: Is my data still protected as a result? If I can answer that question, I’m good.”
Another recommended focusing on specific use cases: “Can enterprises with satellite facilities connect without compromising the entire network? Can contractors get access without compromising the entire network? Can collaboration across enterprise boundaries happen without compromising the entire network? That’s really what we’re talking about from a zero trust perspective.”
Similarly, other participants emphasized starting with clearly defined functional building blocks. “How do we tackle lateral movement?” one asked. “What degrees of trust do we implicitly give to your Common Access Card, to your Kerberos token? What is the exact level of lateral movement that can come from those different things? And then start attacking that.”
Specific applications can also offer a starting point. “A lot of people focus on devices and protecting the device, but it’s actually the application that facilitates the access to that data,” another participant said. “So that should be hardened.”
All admitted that the complexity can be daunting.
“Nothing is going to make this simple,” said one official who urged focusing on the data layer. “But if we can start to define policy at the layer that we care about, we can at least simplify the approach and reduce the number of layers we have
to take into consideration.”
And while it’s important to think about design principles at the enterprise level, there was strong consensus that
implementations should start small. “I’m of the opinion that the component technologies that enable something like zero trust can be small and have clear finish lines and run in parallel,” one official said. “But I count myself personally fortunate that at my agency, nobody thus far has stepped up and said, ‘We’re going to have a [departmentwide] zero trust initiative’ because that’s
intractable.” ■
Participants
Royce Allen
Cybersecurity Architect, Office of Cyber Security Policy and Compliance, Office of Information Security, Department of Veterans Affairs
Stacy Bostjanick
Director of Cybersecurity Maturity Model Certification Policy, Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense
Gerald Caron III
Acting Director of Enterprise Network Management, Bureau of Information Resource Management, Department of State
Guy Cavallo
Deputy CIO, Small Business Administration
Lance Cleghorn
Digital Services Expert, Defense Digital Service
Sean Connelly
TIC Program Manager, Cybersecurity and Infrastructure Security Agency
Matt Connor
Chief Information Security Officer and Director, Cybersecurity Office, National Geospatial- Intelligence Agency
Jon Feibus
Chief Information Security Officer, Nuclear Regulatory Commission
Daniel Jacobs
Cybersecurity Coordinator, General Services Administration
Wanda Jones-Heath
Chief Information Security Officer, U.S. Air Force
Lauren Knausenberger
Chief Transformation Officer, U.S. Air Force
Lisa Lorenzin
Director, Transformation Strategy, Zscaler
Don Lovett
CIO, Office of Contracting and Procurement, City of Washington, D.C.
Ranjeev Mittu
Branch Head, Information Management and Decision Architectures Branch, Information Technology Division, U.S. Naval Research Laboratory
Jose Padin
Director of Pre-Sales Engineering, U.S. Public Sector, Zscaler
Timothy Persons
Chief Scientist and Managing Director, Government Accountability Office
Scott Rose
Computer Scientist, National Institute of Standards and Technology
Karim Said
Lead Cybersecurity Specialist, NASA
James Saunders
Chief Cybersecurity Architect and Acting Security Operations Branch Chief, Small Business Administration
Note: FCW Editor-in-Chief Troy K. Schneider led the roundtable discussion. The May 21 gathering was underwritten by Zscaler, but the substance of the discussion and the recap on these pages are strictly editorial products. Neither Zscaler nor any of the roundtable participants had input beyond their May 21 comments.
42 July 2020 FCW.COM