Register: REGISTER: This is a Hybrid meeting. A dinner meal will be served (Meal menu TBD). REGISTER HERE IN PERSON & ONLINE ZOOM, Location 6th floor of 1550 Crystal Dr, Arlington, VA 22202. Registration closes on Monday 04/17/2023.
Abstract: This presentation focuses on Zero Trust Planning and providing a strong business case for the required budget to implement Zero Trust architecture. In May of 2021, President Biden signed Executive Order 14028, titled “Improving the Nation’s Cybersecurity,” which aligned the concepts of the NIST Cyber Security Framework (CSF) with better Threat Information Sharing and promoting an effort to modernize the nation’s cybersecurity posture using a Zero Trust Architecture. Following the popularity of ZTA in the private sector and the wide acceptance of NIST SP 800-207 as the doctrine for ZTA; USG Department of Defense (DoD) and Defense Information Systems Agency (DISA) created a Security Technical Implementation Guide (STIG) to prescriptively provide agencies with explicit policies and controls to implement ZTA. While this presentation will only approach ZT from a high-level it will point the audience to deeper learning/guidance of next steps post budget approval. These next steps can include areas such as:
Responding to the EO 14028, the Cybersecurity and Infrastructure Security Agency (CISA) drafted a Zero Trust Maturity Model “designed to be a stopgap solution to support Federal Civilian Executive Branch (FCEB) agencies in designing their zero trust architecture (ZTA) implementation plans in accordance with Section 3,b,ii of Executive Order 14028.” Pursuant to EO 14028, OMB released Memorandum M-22-09 providing all federal agencies a series of requirements to assist in reaching some maturity within the Zero Trust Architecture. “This memorandum requires agencies to achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024. These goals are organized using the zero trust maturity model developed by CISA. CISA’s zero trust model describes five complementary areas of effort (pillars) (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).”
While these goals are specific, the methods to achieve them allow for some flexibility.
- Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can prevent, detect, and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
About the Speaker: William Chip Crane is a Cloud and Cybersecurity Executive with IBM for the past nine years. He previously was the Chief Information Officer (CIO) of Parkseed and Manager of Information Security for Ahold Services. He holds a B.S. in Computer Science with a Business Minor from the University of South Carolina. He is an innovative and experienced Technical Executive with a demonstrated history of success in solution and services sales. He is skilled in Executive Development, SaaS, Cloud Design, Cybersecurity, Enterprise Software, Enterprise Architecture and Open Source Development.