White House official: Next phase of zero trust will focus on operations

The federal government is in a “great place” following an agencywide deadline on zero-trust architecture implementation and now looking ahead to more challenging aspects of the cybersecurity model, according to a White House official. 

Mike Duffy, the acting federal chief information security officer, said in an interview with FedScoop that the next phase of zero-trust architecture implementation will focus largely on operations, taking near-term technical controls and leveraging those into a “longer-term technology transformation effort” and more defensible architectures. 

“We are ready to take off and prepare for addressing those more complex challenges of an agency’s architecture,” Duffy said. For a specific agency, that could mean “really honing in on a high-value asset that they know needs to apply a particular type of zero-trust principles or architecture. That is really the shift.”

Duffy expressed confidence in what’s to come for agencies’ zero-trust objectives following the Sept. 30 implementation deadline that aligned with Office of Management and Budget guidance. While agencies are still currently in the “high 90% range” — a figure previously reported by the federal CIO and confirmed by Duffy — the acting CISO said agencies continue to be “very focused, budgeted, resourced” to make sure they are “truly covering all critical assets.”

There’s also interest from agencies in shared services opportunities for additional cybersecurity and zero-trust strengthening efforts, Duffy added. 

“How can the federal government, either through [the Cybersecurity and Infrastructure Security Agency] and the Continuous Diagnostics and Mitigation program and others, provide additional capability and support, as CISA already has been doing?” Duffy said. “We’ve spent a lot of time convening through both the federal CISO council and through other forums, but just making sure that agencies who have found success are sharing those lessons learned with others to apply within their own unique environments.”

The acting federal CISO touted “tremendous progress” on agency progression to almost complete zero-trust implementation at the current standards and pointed to a scorecard on Performance.gov that “gives a sense of where agencies are with those foundational elements.”

“We are positioned and ready to take advantage” of the defensible architecture side of the next phase, Duffy said. There is still, however, a “final mile” where agencies often must apply additional resources for complex architectures that have not been fully resourced well enough to take on new capabilities for zero trust.

“I’m hopeful that it’s a matter of proper resourcing, which you’ve seen in the administration’s cyber priorities,” Duffy said. “That’s something that OMB can work with the agency to see how we can prioritize and deploy capabilities in support of that. There are operational technologies that are certainly challenging to agencies as they think about how they can resource and support a zero-trust architecture in those environments.”

This “final mile” still includes security controls and compensating controls that agencies are “always considering,” Duffy said. 

“CIOs and CISOs recognize that these can be challenging environments,” he said, “and applying zero trust as quickly as we have has been a tremendous achievement.”