CIOs are Implementing Zero Trust to Secure IT Infrastructure

The Department of Commerce and Cybersecurity and Infrastructure Security Agency (CISA) are implementing new security strategies like zero trust and multifactor authentication (MFA) to build out resilient IT infrastructures as the cyber threat landscape continues to evolve.

CISA is in a unique position, where they help other federal agencies comply and align with federal security mandates. The agency’s CIO Robert Costello explained during GovCIO Media & Research’s Blueprints of Tomorrow virtual event that he’s focusing on zero trust solutions like MFA, faster ATOs, continuous evaluations and risk-based approaches.

“I have to make sure all the programs of CISA have the technology that they need to deploy those solutions to the rest of the federal civilian executive branch or critical infrastructure partners. A big part of my role there is making sure that we’re modernizing our own internal approach to security,” Costello said. “I think we’ve been really successful there.”

Nagesh Rao, Commerce Bureau of Industry and Security (BIS) CIO, explained some of the zero trust pilots his team has launched to develop a “security first” mindset. He noted that zero trust is not an end-all, be-all solution, but it can help agencies prepare for and quickly mitigate evolving cyber threats.

“I think everyone thinks that zero trust means it’s going to be secure and safe,” Rao said. “[But] if a hacker has the mindset to break in, they’re going to break in — they’ll figure it out. What we have to do is be responsive to that if it does happen — be ready for it, be able to counter it, mitigate it and correct it.”

Rao’s current focus is moving to the cloud. He noted that BIS is on target to be 100% cloud native within the next four to six weeks. Once completely cloud native, Rao will focus his efforts on leveraging the next generation of cloud solutions, specifically related to cybersecurity.

As DOC continues to modernize and secure its infrastructure, Rao offered advice to industry partners: standardize solutions.

“I have to have something that’s portable. I have that’s not that can change quickly. Stop doing customization,” Rao said. “Work off the baseline that everyone operates on, then you build off from that.”

Workforce training and recruitment is top of mind as CISA and Commerce continue to accelerate security. By focusing on the people, agencies will be able to better account for identities and devices accessing networks, which became even more critical with the COVID-19 pandemic and remote work.

“It comes down to the people first when it comes to cybersecurity and ensuring that risk model — people, people, people — that’s what’s so most important,” Rao said. “I’m noticing it with my CISO team and my colleagues in the cybersecurity area that it’s education, awareness and understanding.”

Costello explained that CISA is adding flexibility to attract and retain top talent through offerings like telework, modern technology and automation to reduce workforce burdens. DHS also recently launched its new hiring system, the DHS Cybersecurity Service, to streamline hiring processes, offer more competitive compensation and increase diversity.

“It’s not just around providing the proper training, but it’s also recruiting efforts as well,” Costello said. “We want an environment where people can bring up issues as they occur. I’d rather have people over report potential security issues than under report them. That’s really important.”