VA Outlines Importance of Zero Trust as Threat Landscape Evolves

The Department of Veteran Affairs is accelerating its zero trust journey, as the White House urges federal agencies to secure IT infrastructures and improve cybersecurity.

Agencies are all grappling with how to implement various security strategies as a result of Biden’s May Executive Order on Improving the Nation’s Cybersecurity, key elements of which include zero trust. Over the past year, VA has already been developing a strategy to leverage and integrate zero trust.

“We have to start looking at the areas that we need to protect. Our boundaries are no longer clear,” said Royce Allen, director of enterprise security architecture at VA. “Our boundaries continue to expand and expand beyond that. Now, we’re in a place where we really have to collaborate without vendors so that we can protect that environment.”

The department is looking at how it can leverage zero trust to improve the ways it protects critical data in the face of evolving threats.

“The current security model in which we use for zero trust is no longer working in this world of evolving threats,” Allen said. “As we continue to bring in new technology and new advancements, our telehealth services are critical, and protecting [health] information is also critical.”

Allen outlined the agency’s two priorities as it works to integrate zero trust: protecting health services to help patients and improving supply chain to minimize exploits. VA is launching security awareness programs to provide its workforce with basic protocols and technologies to continue to improve security.

“We must focus on a practice of continuum, verifying identity, authorization and authentication about data uses and our devices,” Allen said. “That’s why we do what we do and why zero trust is critical.”

VA is leveraging DevSecOps to host security applications, which will enable the department to have greater control and awareness. VA is also bolstering its managed services to support digital experiences and solutions, as it moves toward a zero trust framework.

Zero trust requires a comprehensive data management plan, Allen said. VA’s data governance committee has been working on a strategy to identify the department’s workflows with an emphasis on data.

“I know a lot of departments and agencies have already moved toward zero trust. VA is in the planning phases. We’re developing guidelines for how we’re going to assess the readiness of our existing capabilities. We’re looking at our trust zones and finalizing our TIC 3.0 architecture because that will be the baseline for how we’re going to move forward,” Allen said.