The Biden administration issued its cybersecurity executive order (EO) in May 2021, giving marching orders to Federal agencies to move to zero trust security architectures, among other directives. During a SCGov panel discussion today, Federal chief information security officers (CISOs) shared how they’re leveraging their agency’s previous programs around zero trust to fulfill the obligations of the EO.
Shane Barney, CISO at the U.S. Citizenship and Immigration Services (USCIS), and Robert Wood, CISO at the Department of Health and Human Services’ Centers for Medicare & Medicaid Services, both said their agencies had already made zero trust a priority prior to the EO, so the EO was a welcome incentive to accelerate their efforts.
Barney explained that USCIS had outlined zero trust as a priority in a strategy document the year prior “out of just necessity and the realization that USCIS is cloud-based operations.”
“We knew that we knew we wanted to do this anyway, this is just helping us now having an executive order to hold up and say, ‘Hey, yeah, we got to go do this, the White House says so.’ So, big fan,” Barney said.
In terms of operationalizing everything in the EO, Wood said his agency put together a small task force that meets and coordinates regularly to decide how “to tackle certain parts of EO.”
“We also just started looking for like, what are the easy, quick wins? You know, something like EDR [endpoint detection and response] – fairly quick win, if you’re not already doing it,” Wood said.
“Try to break things down into like, what are the minimum viable decisions or actions we can do today or tomorrow, and just start building momentum in the name of like, working towards this destination,” Wood advised.
Wood also took the time to advise agencies to build strong partnerships with the contractor community and vendors to meet the EO requirements as well.
“I’m also a big fan of explicitly including contract team members as well as Fed team members in planning and decisions, things like that,” Wood said. “We have really been trying to lean into a very open and inclusive and transparent culture.”
For agencies looking to find a good resource for meeting EO requirements, both Wood and Barney recommended they look to the Office of Management and Budget (OMB) draft guidance, which provides the next set of road maps for agencies to transition to zero trust.
“Whoever wrote that was just an absolute genius,” Barney said of the guidance. “They wrote it in such a way that they provided us absolutely no escape room. And they were explicit in areas that needed to be explicit, and they weren’t in areas they didn’t need to be.”