How Zero Trust Modernized Grants Management at Justice Department

As federal agencies hunker down on modernization efforts and cybersecurity capabilities, the Office of Justice Programs has been integrating zero trust frameworks into the modernization of its grants management system over the past few years.

The office issues grants across the Justice Department and began modernizing its grants management system in 2018. After a year of planning, OJP’s IT team saw that integrating an identity governance strategy would be a critical piece of the modernization strategy. OJP CISO Jaime Lynne Noble noted this was especially key amid all of the stakeholders who engage with the grants system.

“We have people who are external — so law enforcement, communities, governor’s offices and the like who apply for grant funding through our system,” Noble said during a NextGov event. “We have a lot of external stakeholders who are then going to have identities within our system to do what they need to do to manage their funding, apply for their funding.”

Noble added that there are also internal stakeholders who work with OJP’s grants management system, including the FBI, Justice Management Division, Executive Office of U.S. Attorneys, Criminal Division and other components of DOJ. These individuals peer review and examine solicitations to ensure that grant applicants will appropriately use their funding.

To ensure secure access for these various parties, Noble and her team started to implement an identity governance system alongside an access management system for the grants management system starting in 2019. OJP conducted a bulk of this work by partnering with the General Services Administration’s SAM.gov and Grants.gov.

“If [users] want to apply for federal funding, they already have to have an identity in SAM.gov, so we match this entity administrator with their identity in SAM,gov,” Noble said. “The person is then responsible for inviting others to be part of their external organization to manage the funds. They typically have an application submitter, they have somebody who’s in charge of the funds, and then they have somebody that’s in charge at their entity that would approve or accept the award if they are awarded funding.”

Although these recent efforts securely expand the access perimeter around OJP’s grants management, OJP was relatively remote before this one instance of modernization and therefore had some zero-trust principles weaved into its infrastructure.

OJP’s IT organization had already implemented critical modernization components like implementing a virtual desktop infrastructure and remote access to tools, applications and certain data. Noble said the nature around this work made zero trust a preexisting pillar of importance for modernization efforts like those for the grants management system.

Throughout these shifts in security strategy, Noble said her team has noted that zero trust has driven overall IT modernization.

“Zero trust is really going to enable modernization of not only security architecture, but really our IT architecture overall,” Noble said. “We moved to the cloud, maybe eight years ago now, and … when we first started, we had to route all the traffic through our trusted internet connection and the Justice Department’s trusted internet connection. Now, with zero trust, it allows us to take advantage of not only Infrastructure as a Service cloud service providers, but Platform as a Service and Software as a Service, where we couldn’t route them through those internet connections as easily.”