Nearly three years ago, the General Services Administration (GSA) embarked on its official journey towards zero trust architecture (ZTA), helped by a $29.8 million Technology Modernization Fund (TMF) award.
GSA’s Chief Information Security Officer (CISO) Bo Berlas – who is spearheading the agency’s ZTA journey with the CIO shop – told MeriTalk in an exclusive interview that the Federal procurement agency has notched significant progress for ZTA in its initial three areas of focus: users; devices; and networks.
“Our strategy has been a long time in the making. We didn’t think zero trust just because the executive order was framed and signed, it essentially started many years before that,” Berlas said. “We were always focused on trying to understand our destination.”
The CISO said when he started his current role at GSA, it was his job to “understand what our destination was – what our shiny house on the hill would look like.”
“We had done a top-to-bottom evaluation of all our capabilities, our threats, and challenges around mounting an effective and unified cyber defense approach. And part of that involved development of a software-defined security vision,” Berlas said. “That software-defined security vision reflected a whole lot of the requirements that align very closely – if not exactly to – the Federal zero trust strategy.”
The CISO said GSA quickly transitioned its software-defined security strategy into a zero trust implementation plan.
When GSA applied for the TMF funding, Berlas said the agency focused on three of the foundational pillars of zero trust: users, devices, and networks. The other two pillars of zero trust include data and applications.
“If you’re building a home, you’re going to build from the ground up,” he said. “If you’re going to build zero trust, you’re going to build it around the base infrastructure – users, devices, and networks – before you focus on apps and data.”
One of the ZTA projects GSA focused on with its TMF money was leveraging a secure access service edge (SASE) solution and enhancing the security of its Building Systems Network (BSN).
“We have a special role in government. Through the Public Buildings Service, we’re custodian to all the Federal buildings to the tune of 9,000 real estate assets, of which 1,500 are directly owned, and over 600 are integrated into our broader IT ecosystem. And for those, we focused on implementing microsegmentation technology for securing OT/IoT on our BSN,” Berlas said.
“And for the users and devices, we implemented a secure access secure edge solution, ensuring that two machines sitting right next to each on the network could not see each other, let alone communicate with one another,” he added.
The TMF funding also helped GSA on its zero trust journey to modernize how it connected its users and devices to its applications and data to better support multi-cloud hybrid architectures through development of a modern enterprise identity credentialing and access management solution.
“We looked at our existing Directory infrastructure, that was challenged at best, and really came up with modernized cloud directories to connect our users and devices to applications and data,” Berlas said. “One of the key tenets of M-22-09, aligned to CISA’s five ZTA pillars, involves implementation of impersonation resistant multifactor authentication to protect against sophisticated online attacks.”
“In order to be able to achieve it, we found that we needed to go through and modernize because our existing solution lacked needed capabilities,” the CISO said. “So, we’ve been focused around moving forward to a new cloud-based enterprise single sign-on solution (SSO).”
“Our modernized SSO, coupled with the cloud directory approach as well as our secure access secure edge implementation, fundamentally changes how we connect our users, improving security,” Berlas told MeriTalk.
While he recognized zero trust as a continuous journey, the GSA CISO marked some tasks on the TMF project as already complete.
“In terms of our secure access secure edge deployment, we’re fully deployed, and have disconnected from what is called the traditional Trusted Internet Connection routing architecture,” he said. “That resulted in some fundamental benefits, including cost savings to the agency that we have reappropriated to other higher security needs; faster internet; improved security controls and reduced complexity; and improved user experience.”
He added, “to user experience, our users are connected to GSA everywhere all the time whenever their machine is online. It’s not a matter of having the protections when you’re in the office. We have the protection everywhere – whether you’re at home, at Starbucks, or in the office, your experience is exactly the same. So, the user experience element has really been profound.”
Berlas said his team has been able to use the success from the SASE deployment as a “springboard” for other projects in GSA’s zero trust journey.
“In terms of microsegmentation for our buildings, we’ve nearly met our stated TMF goal of 500 buildings. We expect to hit that milestone here this summer,” Berlas said.
GSA didn’t stop at users, devices, and networks on its zero trust journey, the CISO said. It has also been working to improve security operations by adopting increased ML and AI-driven models that connect diverse data sources and highlight threats, provide security oversight for cyber supply chain risk management, and enhance core security operations centers to include government-wide public-facing digital services.
“The broad sets of active projects – from microsegmentation of users, devices, and networks, new cloud directories and enterprise single sign on, and our focus around supply chain are all brought together through our security operations center where we are investing heavily on automation with AI/ML and custom dashboarding. These projects – coupled with incident response and hunt capabilities – allow us to scale our human capital. You have to do all of these things,” Berlas said.
“Fundamentally, they’re all integrated,” he said. “They all fit in one – kind of like a puzzle.”
Berlas has spent his entire Federal career at GSA, starting in 2002 as a senior IT specialist. Five years ago, he took on the role of CISO.
“Two decades go by in the blink of an eye,” he continued, “If you’re passionate about what you do, and you’re in it for the right reasons, the time just floats by.”
“While there’s always more to do, I do believe the changes we have ushered in over the last set of years are really all the right changes,” he concluded. “They are aligned with the Executive Order for Improving the Nation’s Cybersecurity and facilitate a more unified approach to cyber defense across GSA. I am just really proud and happy to play a small part in that for our agency and a small part in the security of our government.”