The White House’s Office of Management and Budget’s (OMB) zero trust memo issued earlier this year, M-22-09, directed Federal agencies to migrate to zero trust security architectures, but a White House official this week said agencies’ success in that effort will look different for the policy’s various directives.
Eric Mill, senior adviser to the Federal CIO and one of the principal authors of M-22-09, explained that OMB is looking at both “very tangible, technical steps” agencies can take in regards to the memo, as well as “broader, architectural changes” that may never reach “100 percent implementation.”
“When it comes to understanding what success looks like, it can vary,” Mill said at a June 16 event hosted by Billington CyberSecurity and sponsored by GDIT and AWS. “For some of these specific things, we have very specific ways of looking at it.”
For example, Mill explained it’s easy for OMB to see from an outside perspective if an agency has encrypted their website domain, and OMB can engage with them if they’re struggling to do so. However, he said it can be difficult to determine progress on some of the memo’s broader change management tasks.
“How do you tackle problems like that? The thing that we are telling agencies is: get things to ‘done,’” Mill said. “Look at the places in your agency where you can make some of this transformational change over a few years, and get it all the way.”
“It’s much better to get some big chunk of the parts of your agency that you care about and actually get it to completion, than it is if in three or four years you’ve gotten it 10 percent diffused across your gigantic organization,” Mill added. “We want to see agencies be able to point to the places where they’ve made those transformational changes, and that’s what’s going to make us feel good about the progress.”
Right now, Mill said his agency is focused on “the multi-year follow-through step of this process,” which involves work from both the agencies and OMB. Agencies have already submitted their detailed zero trust plans to OMB, and now Mill said it’s OMB’s job to engage with every agency on their plan.
In getting into the details with agencies, Mill said OMB can start to identify common themes across agencies, see who the Federal government’s zero trust leaders are, and begin to help other agencies who are not as focused on certain areas.
“One thing that can be easy to do in a policy organization like mine, is it gets very easy to feel that the victory is issuing the policy – because there is so much work involved in doing that. It takes a long time,” Mill said. “But those are really just the beginning.”
“We’re just focused right now on making sure that we’re not just hanging around, waving a piece of paper in people’s faces, but actually getting in the trenches with them,” he added.