As President Biden’s cybersecurity executive order (EO) stretches past its first year, Federal agencies are at varied points in their progress on the EO’s orders. Federal leaders say it is important for agencies to approach the EO’s zero trust components strategically and understand their networks as they make the move to a zero trust architecture.
Part of the EO called for agencies to move towards cloud infrastructure, but Kevin Walsh, director for IT and Cybersecurity for the Government Accountability Office (GAO), said at MeriTalk’s Cyber Central event today that organizations need to first decide what makes sense to go into the cloud versus what makes sense to maintain as a legacy system.
“The government is different than private industry, in that we have a lot of really old, really, really important systems that operate,” Walsh said on a panel. “One of many examples is the IRS [Internal Revenue Service].”
“Some of the systems that process our taxes have been running since the 60s and 70s,” Walsh added. “They don’t just need to do this year’s tax return; they need to do every year’s tax return all the way back to the inception. That stuff is not running in the cloud. How do you put zero trust on something that was built when the internet was in its infancy?”
Walsh also brought up that for an agency like the Federal Aviation Administration (FAA), it makes more sense to keep control tower data in on-site data centers to prevent latency on crucial decisions. Driving the point home, Walsh said all this means that Federal agencies need to think through their move to the cloud strategically.
“When shifting to the cloud, agencies really need to think it through they need to think through how critical this is,” he said. “What are the associated risks, costs, and potential staffing? … But we also need to think it … for the old stuff that we decided to keep, how are we going to make sure we wrap it up and encapsulate it so that we can keep it running, but also keep it secure?”
Dawn Berry, the Federal lead for security architecture and engineering at the Center for Medicare and Medicaid Services (CMS) under the Department of Health and Human Services (HHS), said that while CMS was taking initial steps toward zero trust, the first step was looking at the agency’s existing architecture.
“We had to take a look at our existing advanced enterprise architecture and figure out – with the most recent EO – what are we already achieving and what could potentially be an area we have to change,” Berry said on the panel. “Then we have to make some very big decisions about what should go where.”
She said that for CMS, that requires deciding both what does and does not go into the cloud and what goes in what type of cloud environment. Berry also said that, as her agency is moving towards zero trust architectures, they have tried to create a data layer that brings together the disparate tools on the agency’s network.
“We have all kinds of tools in and out from the different areas that are always changing. And we buy these tools, and they all work in this this huge, wonderful, advanced enterprise architecture,” Berry said. “We looked for ways to create a new data layer where we can talk to a lot of different holes at the same time and pull data from many different sources.”
“This idea of an overarching layer of data aggregated might not be [just] for one tool but it can pick up information and intelligence from whatever tools are coming and going,” she added. “That was a second turning point for us because we can’t see our assets and we can’t see what’s inside then we can’t do that. That’s the one hindrance for us to get to the end goal zero trust and the other things that are in the EO.”
Both Berry and Walsh emphasized the importance of partnerships in reaching the EO’s goals, whether its interagency work or intra-agency collaboration with component agencies seeking collaboration with its larger agency.
“A new trend that I’m really enthusiastic about and doing it getting permission … respectful permission, going to the right people saying, ‘Hey, can I try something new?” Berry said. “Reach out to find out if they can get permission to find new cross-teams. Try new cross-teams no matter how big your agency is or how decentralized it is.”
Walsh advised that agencies look around them to other Federal agencies working on zero trust architectures.
“You are not in a vacuum, you are not in this by yourself,” Walsh said. “CISA [Cybersecurity and Infrastructure Security Agency] is a fantastic partner; reach out to them and reach out to the other people in your agency. You’re not the only one trying to do zero trust. There are 24 CFO Act agencies and who knows how many mid and small [agencies]. There are other people go through the same thing you are. Reach out; you may help them, and they may help you.”