As federal agencies implement their zero trust strategies, federal cyber leaders say they must rely on each other to identify best use cases and methods.
Security leaders at NASA, the Department of Energy (DOE), and the Department of Health and Human Services (HHS) said communication across all sectors is essential to achieve successful implementation of zero trust.
There has been a recent moment of realization for agencies to work across service lines, said NASA Enterprise Cybersecurity Architect Mark Stanley during the 2023 ATARC Zero Trust Summit Thursday.
Since the Biden administration's January 2022 zero trust memo outlining metrics for agencies to hit by the end of fiscal year 2024, NASA tech leaders dedicated resources to eliminate communication barriers once they realized communication was their biggest challenge to implementing zero trust.
“So that we can achieve what zero trust is trying to help us do, which is better understand our networks, better defend our networks, to share information, safely and securely," Stanley said. "Those are huge for NASA.”
Jodi Kouts, the senior advisor for policy at DOE, said her agency is also making communication a priority.
At DOE, software supply chain security helps to enable zero trust implementation and ultimately protect credentials and user identities. Following the high-profile SolarWinds and Log4Shell cyber incidents, the Consumer Financial Protection Bureau (CFPB) and the Department of Education also made zero trust a top priority.
“One of the things that we realized is that we have to increase our collaboration. We have to communicate, we have to share some common guidance and common goals,” Kouts said. “And it's very important for us to leverage those lessons, learn, adopt, to the extent possible, sometimes technologies across the enterprise in order to ensure that we have that interoperability.”
HHS leaders noted zero trust is a necessity to execute the mission. Recently, the department noticed benefits from zero trust around fraud prevention and creating more robust user profiles.
“I’m all about the secure execution of the mission. Cybersecurity doesn't exist for its own purposes, it’s to facilitate the organization in advancing the ball through deliberate services for the American people, or whatever those missionaries are,” said Conrad Bovell, branch chief of cybersecurity advisory and strategy at HHS's Office of Information Security.
Cross-platform communication will prevent federal sectors from experiencing repeated challenges, Bovell added.
“The joy, the new experience, when you recognize that there's a specific area that is causing you to have considerable amount of pain because budgeting, technology, resources that you have or are not there, and you're trying to figure out what in the world am I going to be able to do — because I don't want to just have conversation with 18 vendors on their products, their individual products, and then all of a sudden you're sitting in the discussions; now we're introduced to an organization that is mature in that particular territory, and they're explaining to you the challenges that they have,” Bovell said.