ZT (HHS)

ZT Roadmap -- (HHS) -- Case Study.

• BLUF -- Developing a Zero Trust (ZT) roadmap for the US Department of Health and Human Services (HHS) involves systematically ensuring data security and access control for all its systems and networks. -- Remember, implementing ZT is an iterative process, and it requires ongoing attention, adaptation, and collaboration from all levels within HHS to ensure secure data access and protection. 

• Roadmap for implementing ZT for HHS (Goals and Objectives): (8)

  1. Goal -- Analysis, Assessment, and Planning:

     • Evaluate the current security infrastructure and identify any vulnerabilities or gaps in access controls. 

       1. DO -- Analysis and Assessments // [D] via "Shall Statements" to Mitigate vulnerability gaps. (Ex. HHS VAPT Team)

       2. DO -- Maturity Assessment Plan: Audit Duration. 

     • Define the Goals and Objectives (VMGO) of implementing a ZTA, considering HHS's unique requirements and compliance obligations.

       1. DO -- Human Capability Barrier (HCB): Define present-state and future-state (the Star). Establish the roadmap to "the Star", the people, process, and technology. 

       2. Identify critical assets and classify them based on their importance and sensitivity, such as personal health information (PHI) or research data.

  2. Goal -- Define the Zero Trust Strategy:

     • Educate and communicate the concept of ZT to all stakeholders within HHS to gain their support and involvement.

     • Establish clear guiding principles and policies for implementing a Zero Trust Architecture.

     • Designate a dedicated team responsible for overseeing the ZT implementation process and ensuring compliance. Example: a ZT WG.

  3. Goal -- Segment the Network:

     • Divide the HHS network into logical segments or micro-perimeters based on the type of users, data, and applications.

     • Implement network segmentation controls, such as firewalls, virtual private networks (VPNs), or software-defined perimeters (SDPs).

     • Ensure that each segment has defined access policies and restricted lateral movement between segments.

  4. Goal -- Enhance User Authentication:

     • Implement multi-factor authentication (MFA) across all HHS systems and applications.

     • Emphasize the use of strong and unique passwords, and enforce regular password changes.

     • Consider integrating biometric authentication methods for high-security areas or sensitive data access.

  5. Goal -- Implement Access Controls:

     • Implement Identity and Access Management (IAM) solutions to manage and control user access to HHS systems.

     • Adopt the principle of least privilege, granting users only the minimum access required to perform their job functions.

     • Employ granular access control mechanisms, such as role-based access control (RBAC) or attribute-based access control (ABAC).

  6. Goal -- Enable Continuous Monitoring:

     • Set up a centralized Security Information and Event Management (SIEM) system to collect and analyze logs from various HHS systems.

     • Establish real-time monitoring capabilities for detecting and responding to security incidents promptly.

     • Implement regular vulnerability scans and penetration testing to identify any weaknesses and address them in a timely manner.

  7. Goal -- Educate and Train Users:

     • Conduct awareness campaigns to educate HHS employees and contractors about ZTA principles, policies, and best practices.

     • Provide regular training sessions on recognizing and responding to phishing attempts, social engineering, and other potential threats.

     • Foster a culture of cybersecurity awareness and accountability within HHS by promoting secure behavior and reporting potential issues.

  8. Goal -- Regular Reviews and Enhancements / Continuous Service Improvements (CSI):

     • Conduct periodic assessments and audits of the ZTA implementation to ensure ongoing effectiveness.

     • Stay updated with emerging ZTA frameworks, technologies, and industry best practices, making necessary adjustments as required.

     • Continuously engage with stakeholders to gather feedback and identify areas for improvement and expansion of the ZTA.

Question: 

• Prepare HHS's Operating Divisions (OpDivs) to meet the Zero Trust Maturity (ZTM) goals, established by CISA, considering the funding allocated in FY23, FY24, and the projected needs for FY25 and FY26.

• Ref-1: CISA's ZTMM v2.0 (April 2023). 

• Ref-2: HHS' Journey to ZTM (4Sept2025, PDF) using CISA ZTMM.

• Ref-3: CISA ZTMM has 5 Pillars, 3 Cross-Cutting Capabilities [Pg. 9] // 4 Maturity Levels [Pg. 9-10]

• Pillars (5) / and Functions (37). Maturity Level definitions can be seen on pages 13-30. ~ Note: This is HHS' ZT Strategy using CISA ZTMM.

  1. Pillar-1: Identity / Functions (7): (1) Authentication (2) Identity Stores (3) Risk Assessments  (4) Access Management (New Function) (5) Visibility and Analytics Capability (6) Automation and Orchestration Capability (7) Governance Capability. ~ Note: Each function has maturity level definitions, see pages 13-15.

  2. Pillar-2: Devices / Functions (7): (1) Policy Enforcement & Compliance Monitoring (New Function); (2) Asset & Supply Chain Risk Management (New Function); (3) Resources Access (Formerly Data Access); (4) Device Threat Protection (New Function); (5) Visibility and Analytics Capability; (6) Automation and Orchestration Capability; (7) Governance Capability. ~ Note: Each function has maturity level definitions, see pages 16-19.

  3. Pillar-3: Networks / Functions (7): (1) Network Segmentation; (2) Network Traffic Management (New Function); (3) Traffic Encryption (Formerly Encryption); (4) Network Resilience (New Function); (5) Visibility and Analytics Capability; (6) Automation and Orchestration Capability (7) Governance Capability. ~ Note: Each function has maturity level definitions, see pages 20-22.

  4. Pillar-4: Applications and Workloads / Functions (8): (1) Application Access (Formerly Access Authorization); (2) Application Threat Protections (Formerly Threat Protections); (3) Accessible Applications (Formerly Accessibility); (4) Secure Application Development and Deployment Workflow (New Function); (5) Application Security Testing (Formerly Application Security); (6) Visibility and Analytics Capability; (7) Automation and Orchestration Capability; (8) Governance Capability. ~ Note: Each function has maturity level definitions, see pages 23-25.

  5. Pillar-5: Data / Functions (8): (1) Data Inventory Management; (2) Data Categorization (New Function); (3) Data Availability (New Function); (4) Data Access; (5) Data Encryption; (6) Visibility and Analytics Capability; (7)  Automation and Orchestration Capability; (8) Governance Capability. ~ Note: Each function has maturity level definitions, see pages 26-28.

• Cross-Cutting Capabilities (3) & Functions (3): These functions provide opportunities to integrate advancements across each of the five pillars above. {pg.29-30]

  1. Visibility and Analytics -- Supports comprehensive visibility that informs policy decisions and facilitates response activities. ~ Note: This function has maturity level definitions, see pages 29-30.

  2. Automation and Orchestration -- Leverage these insights to support robust and streamlined operations to handle security incidents and respond to events as they arise. ~ Note: This function has maturity level definitions, see pages 29-30.

  3. Governance (2) -- (1) Enables agencies to manage and monitor their regulatory, legal, environmental, federal, and operational requirements in support of risk-based decision-making. (2) Also ensure the right people, process, and technology are in place to support mission, risk, and compliance objectives. ~ Note: This function has maturity level definitions, see pages 29-30.

Visualization Tools: 

• By providing a comprehensive review of progress, funding utilization, and future needs, HHS can effectively advocate for OpDivs (to OMB) and secure the necessary resources to achieve ZTM. -- HOW2: Use Excel or Power BI to capture data such as start-dates and end-dates, including dates for "Sustainment" (needs to keep ZTM going) and "Constraints" (such as funding gaps and/or lack of resources) and have rational for each, to formulate a quantitative visualization to gather maturity insights for OMB consumption.

Answer:

• Validate Progress: Utilize CISA's maturity levels to assess the progress made by OpDivs towards ZTM since the initiative began.

• Funding Efforts: Outline the efforts undertaken by OpDivs to secure funding for ZTM initiatives.

• Appropriated Funds Utilization: Analyze how OpDivs are currently spending the appropriated funds to achieve ZTM goals. Identify any concerns, constraints, challenges, or funding gaps that may hinder their progress.

• Funding Needs: Based on the current assessment and future projections, estimate the additional funding required for OpDivs to achieve and sustain ZTM over the next four years (FY23-FY26).

• Advocacy: Equip HHS with the necessary information to effectively advocate for additional funding from the Office of Management and Budget (OMB) in March 2024.

Constraint Examples:

• OpDivs might state, "While we can make significant progress with the current funding, achieving full ZTM compliance will require additional resources in FY25 and FY26 and beyond. These additional funds will allow us to [specific actions made possible with additional funding]."

Benefits & Value -- By following the below steps, HHS can effectively utilize CISA's pillars towards achieving a robust zero-trust posture (ZTM) across its OpDivs, fostering a more secure and resilient environment for managing sensitive data and operations.

Once you've completed assessing the ZTM of each HHS OpDiv using CISA's pillars, the next steps are (3):

1. Prioritization and Planning (3):

1. Analyze the results: Evaluate the maturity assessment findings (Ex. Using Excel). Identify the OpDivs with the highest and lowest maturity levels.

2. Prioritize: Based on the analysis, prioritize the OpDivs that require the most urgent attention. Based on factors like:

   • Sensitivity of data handled: OpDivs handling highly sensitive data might need faster improvement.

   • Existing security posture: OpDivs with weaker existing security might be more vulnerable and require quicker advancement.

   • Operational needs and resources: Consider the specific operational needs and available resources of each OpDiv. (Ex. Funding constraints; identify funding gaps).

3. Develop a roadmap: Create a comprehensive roadmap outlining the steps for each OpDiv to achieve its desired maturity level (this involves F2F and weekly meetings). The roadmap should include:

   • Specific goals and timelines: Define clear goals for each maturity level and set realistic timelines for achieving them.

   • Actionable steps: Outline the specific actions (objectives) required to achieve each goal, including resource allocation, training needs, and technology implementation.

   • Budget allocation: Allocate financial resources and constraints/gaps with start & end dates according to the priorities and needs identified in the assessment.

2. Implementation and Continuous Improvement (3):

1. Implement the roadmap: Start implementing the defined actions in the roadmap for each OpDiv. This might involve:

   • Deploying new technologies: Implementing MFA, least privilege access control, and data encryption solutions.

   • Strengthening existing security practices: improving vulnerability management, incident response, and security awareness training.

   • Cultural shift: Foster a culture of zero trust within the organization, emphasizing continuous improvement and shared responsibility for security.

2. Monitor and measure progress: Regularly monitor the progress of each OpDiv toward their goals. Utilize metrics aligned with CISA's maturity model and other relevant security frameworks to track progress.

3. Refine and adapt: Continuously review and adjust the roadmap based on progress, emerging threats, and changes in operational needs or regulatory requirements. This ensures ongoing improvement and adaptation of your zero-trust strategy.

3. Continuous Learning and Engagement (3):

1. Maintain awareness: Stay informed about the latest zero-trust best practices and emerging technologies through resources like CISA, NIST, and industry publications.

2. Collaboration and knowledge sharing: Encourage collaboration and knowledge sharing between OpDivs to learn from each other's experiences and best practices.

3. Training and development: Regularly invest in training and development programs to keep employees updated on zero-trust principles and best practices.

Question: What does OMB (Office of Management and Budget) wants to see from each HHS OpDiv in the transition to Zero Trust Architecture (ZTA), 

• THESE ARE ONLY GENERAL EXPECTATIONS BASED ON PUBLIC INFORMATION AND CYBERSECURITY BEST PRACTICES.

• By meeting these expectations, HHS OpDivs can demonstrate a commitment to securing their IT infrastructure and adhering to OMB's cybersecurity directives. Remember, this is not an exhaustive list, and it's advisable to consult with official OMB resources or directly contact them for the most up-to-date information on their specific requirements.

General Requested Expectations: (7)

1. Security Baseline:

   • OMB likely expects HHS OpDivs to establish a clear baseline for their current security posture. This would involve assessing existing security measures, identifying vulnerabilities, and outlining a plan to address them before migrating to ZTA.

2. ZTA Implementation Strategy:

   • A well-defined ZTA implementation strategy demonstrating a phased approach is likely desired. This plan should outline the technologies and tools to be adopted, the migration timeline, and how the OpDiv will ensure user adoption and address any disruptions.

3. * Risk Management:

   • A comprehensive risk management plan that identifies potential risks associated with the ZTA migration and outlines mitigation strategies is likely a requirement. This should address concerns around user experience, compatibility with existing systems, and potential security gaps during the transition.

4. Cost-Benefit Analysis:

   • A cost-benefit analysis outlining the expected financial impact of the ZTA migration is likely necessary. This would involve detailing the costs of implementing and maintaining ZTA, along with the anticipated return on investment in terms of improved security posture and reduced cybersecurity risks.

5. Reporting and Communication:

   • Regular reporting to OMB on the progress of the ZTA migration is likely to be expected. This might include milestones achieved, challenges encountered, and lessons learned. Additionally, a clear communication plan for keeping stakeholders informed throughout the process is likely desired.

6. Alignment with OMB ZTA Standards:

   • OMB likely has established ZTA standards or guidelines that HHS OpDivs must adhere to during the migration process. These standards may outline specific security controls, protocols, or technologies that must be implemented.

7. Transparency and Collaboration:

   • OMB likely expects HHS to be transparent about its ZTA implementation efforts and collaborate with them throughout the process. This might involve sharing best practices, lessons learned, and any emerging challenges.