White House

Federal CIO Previews New Cyber Metrics, Zero Trust Pilot

President Trump’s administration is moving forward on several initiatives to accelerate IT modernization and bolster cybersecurity governmentwide, including updates to key metrics that govern how agencies secure their IT systems, a pilot to improve network security and programs to better recruit and retrain skilled workers.

Much of this progress is being tracked through the President’s Management Agenda, which provides a long-term vision for updating antiquated government systems, enabling agencies to make better decisions around data and providing federal managers with the tools to hire top talent, retrain employees and deal with poor performers.

“We have to be iterative in the technology work that we do, and we have to be iterative in the policies that support those,” Federal CIO Suzette Kent said during a keynote at the 930gov conference in Washington, D.C. on Tuesday. Although she did not provide specifics on all the policies that will be changed, Trump’s administration has been clear about removing burdensome and outdated policies that hinder advancements. Those policy reviews will begin the first week in September.

Kent said the Office of Management and Budget (OMB) is partnering with the Homeland Security Department (DHS) to update the CIO FISMA (Federal Information Security Modernization Act) metrics, which set a baseline for how agencies should secure their IT systems and also helps OMB to monitor agencies’ cybersecurity performance. These metrics align with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which agencies have been required to adopt. The metrics have not yet been finalized, but those changes should be coming out in the third quarter of this year.

In terms of the workforce, Kent noted that the administration is working to engage skilled workers who can sustain progress made through IT modernization and cybersecurity initiatives. Technology such as artificial intelligence (AI) and automation will also play a key role in that sustainment. Expect to see programs focused on recruiting top IT talent to government, sustaining existing team members and using their institutional knowledge and retraining employees to fill critical roles.

Zero Trust Network

At a MeriTalk cybersecurity event earlier this month, Kent said that the CIO Council is sponsoring a zero trust network pilot. “Agencies are advancing their thinking in terms of what they need to protect,” she said, adding that agencies need to continue looking at what they measure and automate some of those activities.

GovLoop reached out to OMB for more details on the pilot. According to an administration official, the pilot “will identify solutions for Federal IT systems to be more stable and secure. Results from this program will be reviewed by a working group comprised of technology leaders throughout the Federal Government and reported to the CIO Council for better oversight.”

Sylvia Burns, who will be leaving her role as CIO of the Interior Department and heading to Federal Deposit Insurance Corporation, has been overseeing the pilot. It isn’t clear how or if this personnel change will impact the pilot.

In the wake of the massive Office of Personnel Management (OMP) breach that compromised the personal data of more than 22 million Americans, there were calls from lawmakers to adopt a so-called zero trust system. “The zero trust model centers on the concept that users inside a network are no more trustworthy than users outside a network,” USAToday reported in 2016, citing a 231-page report by the Oversight and Government Reform Committee’s Republican majority.

Kent said that agencies’ efforts to modernize and better secure government systems have led to them completing 40 of the 52 tasks outlined in the 2017 IT modernization report to the president, and they are on track to finish the rest by year’s end. That includes taking steps to enabled widespread cloud adoption across government through better contracts and consolidating the number of networks that agencies operate. Twenty of the largest federal agencies are sharing cyber data at the agency level and with the DHS dashboard, and more than half of agencies are adopting Phase 3 of the Continuous Diagnostics and Mitigation (CDM) program, which focuses on empowering agencies to manage what’s happening on their networks.

“We have to aggressively keep the mindset that we are never done,” Kent said. “It’s just a step in the journey.”

Leave a Comment

One Comment

Leave a Reply

Avatar photo Mark Hensch

Great article Nicole! I wonder how the zero trust pilot will ultimately impact the entire federal government. Perhaps it’s a model all agencies will adopt?