The Federal Move to Zero Trust

Billington Federal Cyberbytes Ep. 11 The Modern Cert in the Cyber Defense of the Nation Brigadier General, USAF (ret) Greg Touhill, Director, CERT Division, Carnegie Mellon University, Software Engineering Institute Bruce Brody, Senior CISO Advisor, Cisco

Terry Burruss, Senior Content Advisor, Billington CyberSecurity

Billington Federal Cyberbytes Ep. 11
The Modern Cert in the Cyber Defense of the Nation

  • Brigadier General, USAF (ret) Greg Touhill, Director, CERT Division, Carnegie Mellon University, Software Engineering Institute
  • Bruce Brody, Senior CISO Advisor, Cisco

On 13 April, Cisco Cyber Advisor, Bruce Brody, interviewed the CIO of Health and Human Services Inspector General Office, Gerald Caron for a Billington Cyberbyte. In an impactful twenty minute conversation, Mr. Caron skillfully highlighted his views on Zero Trust, his efforts to prioritize and implement activities to move closer to creating a continual monitoring and verification environment, and things for others to consider for implementing their own Zero Trust journey.

Mr. Brody began the conversation by asking Mr. Caron for his thoughts on all of the Biden Administration efforts to push the entire Federal Government towards embracing zero trust as a framework to bolster cybersecurity. Mr Caron lauded the policy saying that it was long overdue and that believed it would stimulate the entire Government cybersecurity effort towards recognizing better cybersecurity overall. Brody followed up by asking how Caron and his organization were prioritizing the many things that OPM was asking Federal Agencies to do to embrace the Zero Trust framework. Mr. Caron highlighted several things to include the following.

  • Caron advocated a strong data-protection focus that includes a real understanding of levels of protection. In order to balance security with its applied use, this understanding should be based upon the data’s importance and value, label the data in order to better protect it, and include a clear understanding of how it is used, how it flows, and how it is shared.
  • He also recommended a strong understanding of the entire ecosystem of what is being asked to be protected. This understanding should include a knowledge of the components, underlying infrastructure, applications, data, and—most importantly—users of this ecosystem. He highlighted the value of leveraging a strong function-capabilities model that provides a better understanding of what is already being done in the cybersecurity space, a keen understanding of continued gaps and areas of development, and a way to help prioritize the use of available resources to meet key continued and gap requirements.

Caron emphasized that like most federal-government organizations, he operates on a two-year budget cycle, and noted that having a strong model really helps him focus on best use of those resources during that time window as well as provides him with key new asks for the next cycle.

In terms of how he works with the private sector, Caron highlighted a simple concept of understanding the resources that he has, recognizing the gaps that he needs to fill, and then doing his own market research to see where the private sector can help fill those gaps with their services and technologies. The five key areas he is currently working on include:

  1. Data mapping,
  2. Identity management,
  3. Dynamically integrating key cybersecurity, awareness and activities,
  4. Improving confidence in understanding and countering organizational risks proactively, and
  5. Continued cyber and employee workforce training.

As the CIO, he is very focused on risk reduction, getting the key cybersecurity foundational elements right, and ultimately building new policies that work with the Zero-Trust framework and are not re-paved from the old castle-moat security models. Key again to all of this, according to Caron, is ultimately protecting the data that his organization uses and has been assigned to protect. Caron sees users as a key part of the cybersecurity business and clearly understands the different roles that these users play—whether it be the day-to-day investigators using the system, the C-suite making strategic resource decisions, or the American people who have entrusted his organization to do their jobs. He feels strongly that he needs to know how they work, what they need to get their jobs done, and what ultimately gets delivered and accountable to US taxpayers as key to a better understanding of his risk reduction job. “Each organization will be different in regards to this risk question,” he commented, “due to the fact that each organization does have different requirements in regards to what they do and the data needed to do it.” His role, ultimately, is an enabler to get the mission done while finding better ways to do it securely.

Mr. Brody also inquired of Mr. Caron’s role in co-chairing the federal government’s Zero-Trust Working Group and how he saw the group’s efforts impacting a government-wide move to embracing its framework. Mr. Caron highlighted that this group sprung out of previous work under the CIO Innovation Council starting with looking at how to embrace NIST’s 800207 standards years back. The group had already built a track record of trust building and test cases to leverage a strong foundation of best practices. He cited, for example, a recent test case where one organization used the group to stress test a previous ATO system as stacked up to the new Zero-Trust requirements, giving folks a host of new perspectives as to what would be needed to move to this new framework. He also highlighted the Group’s work in building a Zero-Trust playbook led by GSA, an effort underscored by the group building cybersecurity playbooks in the past that proved super helpful for folks to leverage to help them make better time and resource decisions. Mr. Caron also pointed to his work with several non-profit Zero-Trust working groups and pointed out that there is a wealth of potential learning going on throughout the government. “I am always learning something new with every engagement,” he confided, “and it provides me with an amazing perspective of just how many people Zero Trust will impact when fully implemented across the entire federal spectrum.” Lastly, Mr. Caron pointed to a host of other good work being done across the federal sector that would impact Zero Trust and cybersecurity in general. He pointed towards the recent effort by DHS/CISA to provide standards for implementing mobile Zero Trust and denoted their transparency efforts to put this effort out for public feedback.

Overall, there was much to reflect upon with Mr. Caron’s comments and the things discussed in this cyberbyte overall. Mr. Caron’s engagement reflected a recognition that Zero Trust is a journey; it requires a multi-faceted and layered, time approach to enact it fully; and that continued learning will be key in getting Zero Trust done.