Education CISO Sees Zero Trust as Key to Improved CX

The Department of Education’s zero-trust architecture implementation plan prioritizes enhancing the user experience for both employees and the public, CISO Steven Hernandez told GovCIO Media & Research on CyberCast while discussing the agency’s strategy.

The White House cybersecurity executive order requires agencies to have strong identity management and to implement multi-factor authentication and encryption for data, both at rest and in transit throughout their systems.

Hernandez said a primary undertaking has been to create a process for identity proofing, when an employee provides information about their identity to establish their known identity to access agency infrastructure, like a personal identity verification (PIV) card.

“If you’re working in the federal government, if you’re an employee or a contractor working directly with us, we want you to have a very high level of identity proofing,” Hernandez said. “Usually that happens when we get our badge or our PIV. We bring two forms of ID with us. We put down biometric fingerprints, and we have our photo taken. And all of that gets matched up to say, ‘OK, we have a very strong opinion that Steven is who he claims to be.’ Then, our goal is to then use that identity as the prime identity for any system access.”

The successor to the executive order, the Office of Management and Budget’s memorandum 22-09, also calls on agencies to secure public-facing systems by offering citizens the same level of authentication as federal employees. This would give citizens choices as to how strong they want their interaction with the government to be.

“We want people to say if they need something from the government, they can go to Login.gov, log in with their strong identity and authenticator and then have the ability to request access to multiple government systems,” Hernandez said. “If we give them a single front door with a single strong way to get in and access it, we’re going to win every time.”

Identity proofing is also a focus for the agency for its citizen-facing services. Hernandez said the technology allows citizens to use a camera for a higher level of identity proofing.

“We can’t get up to the highest levels, but the intermediate levels of proofing we can do through a camera. Goal one is to make that available as kind of the first right,” Hernandez said. “If we can keep people in the comfort of their home or wherever they want to be, that’s what we want to do.”

Hernandez cited a pilot between the U.S. Postal Service and the General Services Administration to offer identity proofing solutions at post offices.

“Even Congress has taken notice of this, and there’s been some proposed legislation that authorizes the post office under law to do identity proofing and collect funds for it and also issue authenticators,” Hernandez said. “This is exactly the direction we should be going as a modern digital society.”