a lot of this [requires] policy changes,” one participant said. “Do I have to do it at the agency level? Is it going to be done at the federal level? Some poli- cies probably have to change at the federal level. Is that going to happen?”
“The technologies are there,” anoth- er official said. “It’s just a matter of integrating them correctly and under- standing what your needs are, what your gaps are, what you have and what you can do with what you have. But it’s really a lot of the non-technical stuff.”
Prescriptive but not restrictive
The group agreed that the executive order sets a results-oriented tone. “I think the EO is really the spirit of try- ing to get us to be effective at cyber- security, not just compliant,” one par- ticipant said — a welcome change from the compliance mindset that is associated with Federal Information Security Modernization Act (FISMA) requirements.
“When we talk about zero trust and we talk about different security mea- sures that we put in place in order to
mitigate risk, there are practicalities of execution associated with them,” another official said. “If we’re not given the opportunity to be innova- tive and think outside the box because we have to be so strict to the theory, then you’re not going to get the benefit of that brain power thinking about a problem differently to react to situa- tions that we haven’t encountered. I fully respect the idea of not being so strict in how you approach the prob- lem that you can’t see different solu- tions that allow you to mitigate risk on a larger scale.”
Some participants noted that FISMA was never intended to be a security checklist. “Ultimately, what it says is federal agencies need to manage risk,” one participant said. “There needs to be accountability. Someone needs to understand and accept the risk at a senior level.”
But others in the group said they see that compliance mindset in their orga- nizations. “We are constantly a security control assessor versus a cyber risk assessor,” one official said. “We are try-
“I fully respect the idea of not being so strict in how you approach the problem that you can’t see different solutions that allow you to mitigate risk on a larger scale.”
ing to right that ship where we aren’t going down the checklist.”
Another argued that progress is being made: “I have been really impressed just over the last couple of years with the efforts within the gov- ernment to update guidance to make it easier to reflect these changes, to make things more flexible and to take advantage of some of the moderniza- tions like cloud-delivered zero trust as opposed to the traditional network- centric approaches. The NIST 800-207 guidance is an excellent example of that. It is prescriptive without being restrictive.”
“It is a beautiful framework that doesn’t paint people into corners,” that official added. “It helps them get to thinking about: ‘What is in my archi- tecture that I can already use in my ecosystem? What gaps do we need to fill?’ It’s very encouraging.”
Another participant cited the Defense Information Systems Agency’s Thunderdome initiative as an impor- tant pivot for the Defense Department. It provides zero trust secure access ser-
September/October 2021 FCW.COM 41