The House of Representatives started its journey to push security to the edge by first looking internally.

With hundreds of end points in member offices across the country, House technology leaders had to take stock of what cyber tools they were already using.

Jamie Crotts, the chief information officer for the House of Representatives, said that initial assessment of its current state of cyber tools and how they fit into the zero trust model was the first step in their improving the overall cyber posture of the lower chamber of Congress.

Jamie Crotts is the chief information officer for the House of Representatives.

“We plan on a three-year technology roadmap cycle. So it’s about understanding which step is the next best step to get us the most benefit for the architecture and for our users. And from that point, we adjusted our roadmap and our planning,” Crotts said on Ask the CIO. “We began budgeting for some of the larger items that are going to be more long term, and we began implementing things that we could do immediately, that were more quick wins, if you will, and that’s still where we are.”

While the House doesn’t have to meet the executive branch mandates under zero trust, Crotts said the maturity models developed by the Cybersecurity and Infrastructure Security Agency and Defense Department are helping to guide their efforts.

The initial zero trust assessment mapped against their current IT roadmap, which is broader than just cybersecurity, led to some adjustments for current and future planning as well as where to invest its limited budget.

Crotts said that mapping led the team to realize that achieving initial capabilities under zero trust was as much as about adjusting the way they did cybersecurity as it was about new tools.

“Looking at it from the users, devices, applications and the network, every single layer of that, we examined how our efforts were going to be able to make improvements. When we looked at the assessment and we saw we can get better at, say, provisioning of devices for users, we can do things a little bit differently that will get a slightly more secure device in their hands in a slightly faster time frame. That is something that would be low hanging fruit for us,” he said. “If it’s as simple as adjusting the way we do imaging to make sure it’s inclusive of certain types of tools, we would be able to take care of that without having to plan for a long-term investment that wasn’t already there. We’re not buying a new tool. We’re adjusting an existing process, and that’s most of our quick wins.”

Flexibility remains key to meeting cyber needs

At the same time, Crotts said they are optimizing existing cyber tools to push them closer key areas of zero trust.

“We spend a lot of money on these tools, whether they be cyber tools, specifically, monitoring analysis tools or general IT productivity tools, applications and suites. But we rarely take the time after we have purchased and implemented it to step back and say, ‘Are there other toggles we could adjust that give us a bit more benefit?’ So, part of our assessment from the zero trust side did exactly that,” he said. “It pointed out that we have some investments in tools giving us a bit of an overlap, which can result in a cost savings. If we identify turning on this widget and this tool actually allows us to stop buying this other tool, that’s a win. That’s essentially how we spent the last year, looking at the tools that we’ve already invested in reducing technical debt is something everybody’s trying to do. So every quick win we can get is amazing.”

Like most IT organizations, the House budgets on a multi-year cycle, so Crotts said they do their best to guess what cyber tools or IT applications they will need in a few years. He said having flexibility in existing tools and processes helps close gaps that otherwise they would have to wait for funding to address.

One example is how the House implemented cloud access security broker (CASB) capabilities.

“It might not be doing exactly what we want it to be doing, or we want to look at the way we do our web access firewalls a little bit differently or routing traffic differently coming from the far edge, things like that take a little bit more time,” he said. “We have to do that thorough analysis. We have to make an investment once we pick the right tool that’s going to work for our architecture. That’s really how we chalked up all of those things, so not necessarily by the pillar that they naturally belong in, but across all the pillars, where can we actually have the most innovative benefit for the House?”

With some initial zero trust capabilities implemented, Crotts said the next focus area is around the data pillar.

Focusing on the data pillar of zero trust

He said his team is spending a lot of time understanding their data governance model.

“Data is data, but the importance of that data is unique to the organization that creates it. Nowhere is that more true than in the legislative branch, where we have different types of data that other people don’t have to deal with, things like legislation data that’s protected by the Speech and Debate Clause of the Constitution. Those types of non-traditional data governance problems, if you will, are things that we’re trying to wrap our minds around,” Crotts said. “How do you do proper tagging of that kind of data? How do you understand the flow of that data throughout your enterprise? When it’s not as simple as tagging a Social Security Number automatically because I know what that looks like, but for some of these more ethereal concepts, it takes a real understanding.”

Crotts added that means analyzing current and possibly future tools to help manage the data as well as creating schemas that let data move securely and efficiently through the network.

“A lot of good security practices come back to the fundamentals of, can you invoke it in a policy and actually enforce it? So once we understand the data types in the data flow, and we get sort of the organizational agreement on, ‘Yes, these are the things and this is the level at which we want to want and need to protect them,’” he said. “Then setting up that structure becomes the next challenge, if you will. A lot of best security practices can be put in play there, but like everything else, you need to define it first.”

Once the House can define and manage its data, then applying a more strict version of privileged access management to further protect systems and data will be possible.

At the same time, Crotts said his team has to understand their users’ needs, of which there are thousands of people on Capitol Hill and across 900 district offices that need access to systems and data, to balance their experience with the cybersecurity requirements.

“A proper security tool configured well does not have to interrupt workflow. And that’s really key to understanding those challenges,” he said. “Every time a user has to stop and log into something else or authenticate or pull up their token numbers and reauthenticate, you have lost them. They become upset with the process, even if it’s perfectly efficient, you’ve interrupted them. You should only do that as little as possible. But then you need to trust that once they are logged into that session, that you’ve got the other controls in place to make sure that the accesses prevent them from moving laterally to a place where they shouldn’t be. If you’ve got all that in place, then you can trust that login and you don’t have to go through all those other processes.”

The post House’s zero trust journey is more process than technology update first appeared on Federal News Network.