Zero Trust is Key to Hybrid Federal Workforce

Federal agencies are embracing the hybrid workforce to attract talent and boost employee morale, but cybersecurity — and zero trust — are key to the longevity and success of this model.

Between 2019 and 2021, the number of people primarily working from home tripled from 5.7% to 17.9%, according to the U.S. Census Bureau. The Office of Personnel Management’s (OPM) 2022 Federal Employee Viewpoint survey found only about one in three government workers work from an office five days per week.

In a December 2022 interview with GovCIO Media & Research, the Department of Veterans Affairs Deputy CIO and Chief People Officer Nathan Tierney said VA is focusing on offering incentives such as remote work and special pay rates for technology talent to incentivize people to join the agency’s tech team and compete with private industry.

“Over 62% of our IT workforce is working remotely. We are going to continue to expand as we modernize our workforce,” Tierney said. “Data, AI and other advanced techniques that you see in the private sector, we need to bring into the public sector if we’re going to achieve the vision of being a world class IT organization.”

As government looks to increase remote positions to attract top talent, agencies are reevaluating what it means to be “secure” in the new workplace. That’s where zero trust comes into play.

The Move to Zero Trust

Zero trust is not a product or a service, but a strategy. Instead of relying on a perimeter-based approach, every user, device and app must be verified for every point of access.

President Joe Biden’s May 2021 cybersecurity executive order ignited the transition to zero trust architectures, which led to the expansion of tools such as identity, credential and access management (ICAM) solutions, data governance and automation.

“The recent legislation is really brought into focus, some very key initiatives for all federal agencies to focus on,” VA CISO Lynette Sherrill told GovCIO Media & Research in a recent interview, which will be featured on CyberCast in March 2023. “All throughout fiscal year 2022, we made some significant advancements with deployment of endpoint detection and response capabilities. We also implemented and improved our security vulnerability management program. We’re now able to say that we have more than 93% of our vulnerabilities managed on our network, well above industry standard of about 70%.”

Following the zero trust executive order, federal agencies began developing and implementing zero trust strategies, including the Defense Department’s five-year zero trust strategy and VA’s Zero Trust First Cybersecurity Strategy, to provide guidance and measures to effectively secure agency assets.

VA is developing a roadmap to get to zero trust, which enables the agency to take a holistic approach to its cyber posture. VA also requested a $107 million increase to its fiscal year 2023 cybersecurity budget to provide more funding to its information security program, focusing on implementing zero trust principles.

VA CIO Kurt DelBene said he is focusing on a zero trust framework to develop a set of measures of security and inform decision-making moving forward.

“There’s nothing more important than securing the organization, securing the assets that we have, and — at its heart — it’s about securing veteran data, which is our commitment to them,” DelBene said during a Sept. 30 media roundtable.

Training and Recruitment

Change management is critical to developing a “security first” mindset across the federal workforce.

The Defense Department’s newly released 2023-2027 DOD Cyber Workforce Strategy is built around four tenets: performing capability assessments and analysis processes to stay ahead of force needs, establishing an enterprise-wide talent management program, facilitating a cultural shift within the department, and developing partnerships “to enhance capability development, operational effectiveness and career broadening experiences.”

“We need a dedicated workforce strategy … looking not only at cyber, but broader STEM efforts, and what we’re doing across the enterprise era. So, we have a strategy specifically on this as we look to diversify the workforce … this really is our generation space race,” DOD CIO John Sherman said during the Sept. 2022 Billington Cybersecurity Summit.

Workforce training and recruitment is also top of mind as the Department of Commerce continues to accelerate security. By focusing on the people, agencies will be able to better account for identities and devices accessing networks.

“It comes down to the people first when it comes to cybersecurity and ensuring that risk model — people, people, people — that’s what’s so most important,” Commerce’s Bureau of Industry and Security CIO Nagesh Rao said during GovCIO Media & Research’s July 2022 Blueprints of Tomorrow virtual event. “I’m noticing it with my CISO team and my colleagues in the cybersecurity area that it’s education, awareness and understanding.”

VA’s zero trust journey relies upon integrating zero trust principles within the workforce, DelBene said during GovCIO Media & Research’s Sept. 2022 Zero Trust event.

“We reworked the team and set a vision of being vision oriented, having great execution operational rigor, security rigor and focusing around a delightful end-user experience,” DelBene said.

DelBene acknowledged zero trust as a powerful framework for security. If it’s implemented well within an organization, the workforce should understand the key principles inside and out. Security should be a part of an employee’s passion and how they approach their work at the agency, he added.

“First thing we should do is get a workforce that fundamentally believes security is the most important thing,” DelBene said. “The people driving your system need to have a sense of what zero trust means to them. Designers and developers have to have that inherent thought that security is at the core of what they do.”

Sherrill said VA uses tabletop exercises and simulations to prepare the workforce to respond to breaches and drive an Agile approach to security. Her agency also holds an annual cybersecurity and privacy training that all employees and people accessing VA’s network are required to complete.

“My mantra with the team lately has been if we have a [security] event, or even if we hear of an event that’s happening in industry, that we take that, we bring it into our environment, and we try to learn from it so that we are more secure on the on the other side of that event than we were going into it. So, let’s constantly be learning and improving everything that we do today.”

Identity Management: A Critical First Step

Identity management techniques such as multifactor authentication (MFA) and least privileged access are core tenets of zero trust. The Department of Health and Human Services (HHS) and VA are focusing on identity management to build resilient IT infrastructures, sustainable even in a remote or hybrid environment.

Sherrill said VA has enforced MFA with 96% of the agency’s end user community.

“Zero trust is really at the heart of our cybersecurity strategy. And what that means is we enforce strong identity verification. So, [for] every end user on our network, we know who they are and where they’re authorized to go,” Sherrill said. “We also ensure that the devices connecting to our network are healthy, meaning they haven’t been compromised, they have all the latest patches, they have all the latest security configuration.”

HHS Office of the Inspector General CIO Gerald Caron said authentication is critical in the hybrid work environment. Different methods of identity proofing lead to varying levels of risk.

“When I come up with my confidence score, how much I trust that common access card (CAC) or personal identity verification (PIV) card is going to probably have a lower risk than your username, password or some other methods of authentication,” Caron said during an event last year. “That will depend on what I’m going to allow you to do… once you get to that authoritative identity, you can start to look at automation of the provisioning and deprovisioning.”

Remote work also increases the number of devices on agency networks. Bring your own device (BYOD) programs enable employees to connect their personal devices to employer networks and access work-related systems and agency data.

The Department of the Army, for example, announced it is preparing to roll out its Bring Your Own Device program to about 20,000 soldiers and civilian employees. During a CyberCast interview with GovCIO Media & Research, Lt. Gen. John Morrison, the Army’s deputy chief of staff, G-6, said the BYOD program aligns with the larger Defense Department effort to allow service members and civilians to work on their phones and home computers. Now, the focus is on user experience and security.

“We really have sort of inside our Army flipped the paradigm of how we look at the problems. Instead of cybersecurity being something we bolt on at the end, that’s really not a good way to approach it. We bake it in on the front end,” Morrison said. “With bring your own device, that’s exactly what we’ve done. And the technical instantiation is, while there’s an application that resides on your phone, none of the data does. It’s still all resident in the cloud with the appropriate defensive cyber watch over the top of it.”