Zero Trust Architecture: Acquisition and Adoption

What is Zero Trust Architecture (ZTA)?

Zero Trust is not a technology, but an approach to cybersecurity. It assumes all cyber networks and traffic are hostile in nature, and that any implicit trust in users should be eliminated. Now, more than ever, Zero Trust concepts are becoming increasingly important to an agency’s IT security posture as we see an increase in cyber attacks.

Zero Trust Architecture (ZTA) is a cybersecurity strategy that employs narrow and dynamic network defenses where every action, and use of resources is questioned, and where users are given the minimum levels of access to information needed to do their jobs.

To fully implement ZTA, organizations need to focus on the integration and implementation of a range of tactics and technologies. We can no longer rely on the concept of “trust, but verify”. Instead, agencies must verify, re-verify, and continue re-verifying with added layers of cybersecurity to establish true ZTA.

Why is ZTA important now?

Recent sophisticated cyber attacks and the shift to remote/virtual work environments highlight the importance of focusing on cybersecurity. The recent Sunburst and Colonial Pipeline cyber attacks exposed vulnerabilities in government and private sector computer systems. These attacks are a stark reminder that a weakness anywhere is a weakness everywhere. Furthermore, as organizations move to a mix of cloud-based, on-premises, and hybrid network models, traditional perimeter-focused network defenses can no longer protect an organization’s information communication technology assets. To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, government agencies must move quickly to modernize their cybersecurity capabilities and accelerate towards the adoption of ZTA.

In 2020, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, Zero Trust Architecture was released to provide agencies with guidance and detailed recommendations to improve their security posture using the core principles of ZTA. More recently, Executive Order 14028 “Improving the Nation’s Cybersecurity” requires all Federal agencies to develop a plan to implement ZTA in an effort to modernize and strengthen cybersecurity standards and detection.

What can agencies do to embrace ZTA?

Although there is no single end-to-end, comprehensive Zero Trust network solution, movement towards a Zero Trust security posture does not require agencies to rip and replace existing cybersecurity tools, hardware, or software products. Rather, agencies can make incremental steps to “re-tool” existing products to adhere to Zero Trust principles and supplement with GSA-offered products, services, and solutions to achieve ZTA.

GSA created a Zero Trust Architecture Buyer’s Guide for acquisition, network architect, and cybersecurity professionals who are seeking to implement ZTA. The guide is a roadmap to ZTA and provides helpful concepts and best practices. Zero Trust security models currently range between five and seven pillars. For the purposes of facilitating an acquisition-based perspective, GSA chose to represent a combination of eight unique pillars that agencies should consider when implementing a robust and efficient Zero Trust security model.

Zero Trust Architecture Pillars-User, Device, Network, Infrastructure, Application, Data, Visibility and Analytics, Orchestration and Automation

Getting to Zero Trust is a journey. Moving to ZTA will take time, and agencies will be at different starting points as they implement a Zero Trust strategy. When evaluating a ZTA solution, agencies should consider how well the product or service addresses these eight pillars and to what extent.

Zero Trust Pillars

PillarDescription
UserInvolves focus on user identification, authentication, and access control policies which verify user attempts connecting to the network using dynamic and contextual data analysis.
DevicePerforms “system of record” validation of user-controlled and autonomous devices to determine acceptable cybersecurity posture and trustworthiness.
NetworkIsolates sensitive resources from being accessed by unauthorized people or things by dynamically defining network access, deploying micro-segmentation techniques, and control network flows while encrypting end-to-end traffic.
InfrastructureEnsures systems and services within a workload are protected against unintended and unauthorized access, and potential vulnerabilities.
ApplicationIntegrates user, device, and data components to secure access at the application layer. Security wraps each workload and compute container to prevent data collection, unauthorized access or tampering with sensitive applications and services.
DataInvolves focus on securing and enforcing access to data based on the data’s categorization and classification to isolate the data from everyone except those that need access.
Visibility and AnalyticsProvides insight into user and system behavior analytics by observing real-time communications between all Zero Trust components.
Orchestration and AutomationAutomates security and network operational processes across the ZTA by orchestrating functions between similar and disparate security systems and applications.
Zero Trust Pillars

How can GSA help?

There are many elements of a Zero Trust solution that crosscut and incorporate GSA contract offerings. The information provided in the Zero Trust Architecture Buyer’s Guide can help agencies mature their Zero Trust implementation plans.

There are multiple GSA resources that support Zero Trust efforts, like the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) which provides access to vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors.

The Continuous Diagnostics and Mitigation (CDM) Tools SIN provides access to cybersecurity products included on the Department of Homeland Security Cybersecurity & Infrastructure Security Agency’s Approved Products List. Agencies can use these and other comprehensive GSA solutions to support the design and deployment of architectures that follow the tenets of Zero Trust.

Continuous Monitoring: Keeping Your System Up to Date and Prepared for Cyberattacks

Continuous monitoring of IT systems is an evolving process. It adapts as new technologies and capabilities become available and as organizations are faced with advanced and persistent threats. However, the core strategies of continuous monitoring lay the foundation for safe and secured federal IT systems.

Continuous monitoring helps agencies identify, resolve, and understand key insights regarding certain risks to their information systems. The Risk Management Framework (RMF) process consists of several steps that include preparing a system for authorization, authorizing the system, and continuously monitoring the system until the next authorization process begins. The monitoring step is essential for agencies that want to minimize risks to their security systems.

As mentioned in previous posts, the Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) solution is available for agencies in need of cybersecurity services, including RMF. GSA’s HACS solution connects agencies with vendors who have passed an oral technical evaluation for cybersecurity services, making it easier for agencies to find quality vendors to assist with continuous monitoring strategies and Security Operations Centers (SOCs) activities.

After agencies obtain Authorization to Operate (ATO), they move into the continuous monitoring step of the RMF process. Though continuous monitoring strategies can vary by agency, usual tasks include near real-time risk management and ongoing authorization based on the system environment of operation. This step’s dynamic processes determine if a system’s security controls continue to be effective over time.

Risk Management Framework (RMF) image
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

RMF services are available through GSA’s HACS SIN. A Statement of Work (SOW) for the RMF process can be found on the HACS website and includes example language for procuring services for the Monitor Step. The SOW outlines several subtasks that make up the continuous monitoring phase of RMF.

Roles and Responsibilities within the Continuous Monitoring Strategy

As part of the continuous monitoring process, the agency will oversee information system and environment changes. This process involves determining the security impact of proposed or actual changes to the information system and its environment of operation.

Security Control Assessments

An Information Owner (IO), Security Control Assessor (SCA), Information System Security Officer (ISSO), and Information System Security Engineer (ISSE) will be responsible for ongoing security control assessments. The IO is an inherently governmental position; however, contractors can provide support for the other roles in most situations. In these assessments, personnel examine the technical, management, and operational security controls within an information system. This practice ensures that a system is in accordance with the agency’s monitoring strategy.

Risk Determination

The Chief Information Security Officer (CISO) performs ongoing risk determination and acceptance as a part of continuous monitoring. This task consists of reviewing the reported security status of the information system (including the effectiveness of security controls employed within, and inherited by, the system) on an ongoing basis. The CISO aims to determine whether the risk to the agency’s system remains acceptable. If a risk is not acceptable, remediation will take place. This CISO is in an inherently governmental position; however, contractors can provide subject matter expertise and recommendations for risk determinations.

Ongoing Remediation

The IO and ISSO take part in ongoing remediation actions throughout the continuous monitoring process. Along with the Information System Owner (ISO) and the Common Control Provider (CCP), these personnel conduct remediation actions based on the results of ongoing monitoring activities, the assessment of risk, and outstanding items in the Plan of Action and Milestones.

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to monitor its systems, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Authorization to Operate: Preparing Your Agency’s Information System

To close out National Cybersecurity Awareness Month, here are some steps federal agencies can take to protect their IT systems from cyber attacks and cybersecurity vulnerabilities using the Authorization to Operate (ATO) process.

An ATO demonstrates that a federal agency has gone through a federally approved, detailed process to protect an IT system from incidents such as cyberattacks, security breaches, malware, and phishing attempts. Many federal IT systems are required to obtain an ATO to process government data and federal regulations recommend that agencies follow the Risk Management Framework (RMF) to become authorized.

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides solutions for all of an agency’s cybersecurity service needs, including RMF. The HACS SIN connects agencies with vendors who have passed oral technical evaluations for cybersecurity services performed within the RMF, and who are ready to assist agencies with the RMF process for a successful authorization.

RMF Graphic full definitions ATO highlight (3)
Disclaimer: RMF steps can vary based on an organization’s cybersecurity needs.

All of the steps, tasks, and activities that precede the “Authorize” step of the RMF help to prepare the information system for the authorizing official’s appraisal. The authorizing official is not a contractor, but a federal employee of whichever agency is seeking ATO.

The HACS SIN connects federal agencies with contractors who can help in each stage of the RMF. Contractors can assist agencies in producing the deliverables associated with each RMF step listed in the chart below.

Disclaimer: RMF deliverables can vary based on an organization’s cybersecurity needs.

Once an agency has successfully completed the first four steps of the RMF (“Categorize” through “Assess”), an authorizing official will evaluate the system. The authorizing official for the federal agency in question evaluates residual risks identified during the security control assessment, and makes the decision to authorize the system to operate, deny its operation, or ask the agency to address any issues.

When granting an ATO, authorizing officials look for the following checklist of items:

  • Plan of Action and Milestones (POA&M)
  • Authorization Package
  • Final Risk Determination and Risk Acceptance
  • Authorization Decision

The POA&M is one of the most important deliverables produced in the RMF process. It reflects organizational priorities for addressing any remaining weaknesses and deficiencies in an information system and its environment of operation. The Authorization Package includes all key documents including the security plan, security assessment report, and the POA&M. 

Following the RMF steps helps your agency to achieve ATO, but the work does not end after an ATO is issued. Agencies must also continuously monitor their systems to ensure that security controls remain effective over time.

In addition, many federal agencies must reauthorize their information systems every three years by going through the RMF process again. This is where the final step of the RMF, “Monitor Controls,” is important. As part of continuous monitoring, a sample of the applicable security controls are tested annually, periodic vulnerability scanning is performed, and security impact analysis of changes are performed. If an agency continuously monitors its systems over those three years by documenting specific technical changes, environment changes, or changes to the organizational risk management strategy, it may be easier to renew an ATO because any security risks can  be mitigated at the time they occur. 

For more information on HACS RMF services and how using the HACS SIN can make it easier for your agency to achieve an ATO, visit the HACS homepage or download the customizable RMF Statement of Work (SOW).

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Cybersecurity Best Practices During the COVID-19 Pandemic

The unprecedented and extraordinary efforts by businesses and Federal agencies to keep employees and customers safe during the COVID-19 pandemic have also inadvertently opened the door to cyberattacks.

Large-scale transitions to work-from-home technologies, heightened activity on many public-facing networks, and greater use of online services have presented new openings for cyber attackers to exploit. As people around the world shelter in place, they turn to online platforms to chat with friends, shop, work, and go to school. That transition to virtual life puts a large strain on cybersecurity controls.

Federal agencies face new daily challenges in assuring the security of networks. In the midst of the current global pandemic that imperative is even greater — they must protect their institutions while ensuring that daily tasks go on uninterrupted. The Office of Management and Budget (OMB) recommends that agencies “make risk-based decisions as appropriate to meet mission needs” during the COVID-19 pandemic.

It is important now for agency leaders to focus on supporting technologies and capabilities that are absolutely essential to their organizations’ operations. Priority actions — and relevant technologies — may include testing already existing security plans, continuously monitoring security systems, and maintaining access security. GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) provides Federal agencies with rapid access to cybersecurity vendors who can assist with the following priority actions and more.

Best practices

Testing and having incident response plans in place are helpful for any agency. If an agency has plans such as incident response, disaster recovery, or continuity, it is important to test those plans and assess any risks as soon as possible. GSA’s HACS SIN provides rapid access to vendors evaluated for incident response services.

Chief Information Security Officers (CISOs) should continue to monitor their systems closely in order to identify cybersecurity events and incidents as soon as they may appear. Focus areas include monitoring networks for new strains of malware, monitoring collaboration tools such as Google Drive or Dropbox, and monitoring personnel activity. CISOs can also monitor their systems by using Intrusion Detection Systems or their preferred live network monitoring software. The HACS SIN is an efficient way to access these capabilities.

Access management in a remote work environment is another essential focus area during the COVID-19 pandemic. Though cybersecurity is essential, so is the physical safety of the American people. Agencies are encouraging teleworking whenever possible to adhere to the Government’s social distancing guidelines, and cybersecurity experts are needed to help make telework safe and secure for employees.

With many — if not all — of an agency’s employees working from home, click-through rates for phishing emails may increase when employees no longer work closely enough with coworkers to ask them in person about suspicious activity. Remote work can also require agencies to enable offsite access to critical and/or confidential information, which can increase the risk of a cyber attack. Employees can mitigate this risk by adhering to their agency’s access control policy and utilizing secure connections (such as Two-Factor Authentication (2FA) and/or VPN) when accessing Government networks containing sensitive information.

The COVID-19 pandemic is first and foremost a human challenge, with heads of agencies and employees all juggling professional duties with personal and family responsibilities. The risk of cyberattacks will be elevated, but by focusing now on cyber activities — testing response plans, monitoring security systems, and maintaining personnel security — agencies can successfully maintain their security.

GSA is here to help connect Federal agencies with vendors that provide necessary cybersecurity services during this time through the HACS SIN solution. For more information, visit the HACS Homepage. To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Protecting State and Local Election Systems and Strengthening Cyber Defenses

By Kay Ely, Assistant Commissioner, Office of Information Technology Category

Preventing infiltration and tampering of elections systems and fortifying cyber defenses continue to be important topics.

Through our established IT contract vehicles, GSA can provide government agencies with access to cybersecurity products and services to improve resilience, protect important information, and bring election systems into compliance with leading-edge practices for enhancing security in today’s tech-savvy environment.

Cooperative Purchasing Program

GSA’s Cooperative Purchasing Program allows state, local, and tribal governments to benefit from access to solutions, products, and services from pre-vetted industry partners through IT Schedule 70 — the same as those offered to federal agencies.

That means these government agencies can buy the newest cybersecurity offerings under the Highly Adaptive Cybersecurity Services (HACS) and Continuous Diagnostics and Mitigation (CDM) Special Item Numbers (SINs) which can help with risk assessments and management of election systems.

Cyber Products and Services

Services offered by our HACS partners:

  • Risk and Vulnerability Assessment (RVA) services that adhere to the Department of Homeland Security’s (DHS) methodology for assessing High Value Assets
  • Penetration Testing to proactively identify and detect cyber vulnerabilities
  • Cyber Hunt to mitigate immediate and potential threats
  • Incident Response to expand government’s ability to recover from cyber attacks

Government agencies can also buy cybersecurity tools that are on DHS’s CDM Approved Product List through the CDM Tools SIN. These offer hardware and software tools designed to:

  • Identify enterprise cybersecurity risks on an ongoing basis
  • Prioritize these risks based upon potential impacts
  • Enable cyber security personnel to mitigate the most significant problems first

Here at GSA, we are committed to providing the best quality products and services to our state, local, and tribal government customers and we’re ready to help you secure our nation’s systems.

For more information on the HACS and CDM Tools SINs, visit https://gsa.gov/itsecurity, or contact the IT Security Subcategory Team at itsecuritycm@gsa.gov.

The Next Phase for HACS (Cyber) — Modernization

By Kay Ely, Assistant Commissioner, Office of Information Technology Category

Cybersecurity incidents and on-going emerging threats to our data, networks, and systems over the last few years have significantly changed how we approach cybersecurity. GSA remains committed to ensuring the government’s long-term security, responsiveness, and efficiency when it comes to monitoring and protecting our valuable digital assets and IT systems.

We’re always proactively focusing on the products, services, and vehicles needed to help carry out agency missions. We’re also sharpening our focus on cyber acquisition solutions, so security is integrated into the system acquisition process. This means that we’re constantly evaluating and improving our solutions.

With this in mind, our Highly Adaptive Cybersecurity Services (HACS) program is entering its next phase: HACS Modernization.

Today’s HACS Portfolio on IT Schedule 70 consists of four Special Item Numbers (SINs):

  • Cyber Hunt
  • Incident Response
  • Penetration Testing
  • Risk and Vulnerability Assessment

Feedback from the expert providers in the cybersecurity services market can help us further enhance our current array of HACS offerings. Enhancements to GSA’s cybersecurity acquisition solutions will not only help us drive more use by agencies, it will also lead to improved outcomes and safer IT systems for federal, state, local, tribal, and territorial governments.

To that end, our team is working to make it easier for industry to provide feedback through two RFIs and a stakeholder event in June.

HACS Modernization Requests for Information (RFI)

To determine the best course of action, we released two HACS Modernization Requests for Information (RFI) on May 22, 2018, one for agencies and the other for industry partners. We encourage our current HACS suppliers and agency partners to participate in those RFIs. We particularly want feedback from those agencies that have not yet used the HACS SINs.

The RFIs are open until June 23, 2018 at 5 p.m. EDT

June 18 Stakeholder Event

We’re also hosting a HACS Stakeholder Event on Monday, June 18, 2018, from 9 a.m. to 1 p.m. EDT at GSA headquarters to discuss the HACS program’s past, present, and future.

We welcome both in-person and virtual attendees. We’ll be featuring guest speakers from Department of Homeland Security (DHS), Office of Management and Budget (OMB), and GSA’s Office of IT Category and GSA’s Office of Small Business Utilization (OSBU).

Let’s Work Together

We want to hear what you think about the cybersecurity landscape and how effective you think GSA’s current services are now, where we can improve them for the future, and the best ways to enhance our delivery to agencies.

Please respond to the relevant RFIs and attend our Stakeholder Event. Together we can enhance our HACS program and deliver a total package that helps agencies securely accomplish their mission.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government I