Article | May 27, 2021
“Belonging to the essential nature of a thing; originating and included wholly within an organ or part.” That is the definition of “Intrinsic.” When we were developing the “IT Manhattan Project” framework, we were doing so in direct response to some of the most significant hacks in U.S. Federal history, which piled on to the already unprecedented push to expedite the modernizing of federal IT because of the COVID-19 response. The COVID-19 response shifted the way that the U.S. federal government operated, where our workforce worked from, the immediate need for mobile ‘available from anywhere’ workloads, and how to both secure and support that new way of doing federal business. A new, vigorous push towards rapidly modernizing federal IT environments was underway. Ultimately, it laid the groundwork for producing transformational federal memos and oversight by way of some of the following:
Executive Order 14028: “Improving The Nation’s Cybersecurity”
M-22-09: OMB’s Zero Trust Strategy M-22-09
NIST 800-53rev5: Fulfilling an expedited realization of the overall intent of NIST 800-53r5 through the emphasis on things like conditional access, TIC 3.0 frameworks, Secure Orchestration/Automation/Remediation, and modernized, agile approaches to secure micro-segmentation from Hybrid Environments up to Federal Cloud instances
Overall mandates like these carry with them a consistent anthem driving at rapid IT modernization with rigorous proof of performance schedules attached. Piling on top of those Herculean efforts, the urgency was drastically increased by several of the highest profile cyber compromises in U.S. federal history. Rapid modernization had to happen right away. The time for IT transformation was here, backed by promises of significant funding and a high level of political visibility.
The Shift to Zero Trust
At their core intent, Zero Trust architectures are expected to provide a centralized policy structure that dictates how every individual flow in our IT environments are permitted to talk. No user, host, or flow is permitted without being subjected to rigorous authentication and authorization policy. This shifts our previous understanding of North-South, East-West traffic and how we police it. The foundational intent of Zero Trust architectures centers around applying unified policy to every transaction that occurs between enterprise resources, and doing so in ways that are agnostic to the IT Silo that they reside in.
Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.”
NIST 800-207 aptly
They go on to explain that the scope of this posture includes all assets, workflows, network accounts, and the like. In summary, police everything, abstract production traffic intent from the underlying infrastructure that supports it, and institute a unified security posture to execute the policing at every network entry point. Regardless of the domain. We all know that this is a tectonic but much-needed shift in our industry. I’d go so far as to say that the successful instantiation of this approach across Federal IT environments is critical to our national security going forward.
Management Complexities
Enterprise IT domains contain varied mixtures of OEM solutions, home-grown tools, and utilize a wide variety of protocols to intercommunicate that aren’t necessarily standardize. Each of these domains is normally managed by separate IT teams who specialize in maintaining those environments. In the federal landscape, each of these domains aren’t just managed by separate enterprise IT teams, but are commonly managed by different contractors. Therefore, IT security organizations have a difficult time achieving and maintaining the necessary operational awareness required to enforce centralized policy. These cultural complexities exacerbated by budgeting concerns have created a fatalistic mentality when it comes to far-reaching mandates. This is where the tectonic shift in architectural and administrative approach is so necessary. This is where multidomain architectures shine.
Let’s define a common baseline of enterprise domains seen across traditional IT environments:
Cloud
Data Center
Enterprise Networking
Extended Enterprise (IoT, OT/ICS)
Remote Access
But to deliver a successful Zero Trust across the enterprise, it is first necessary to understand some foundational building blocks on which to construct our architectural approach:
We can’t have MULTIDOMAIN POLICY without first achieving fuller
We can’t deliver macro and micro-segmentation without first having robust MULTIDOMAIN
We can’t have multi-vendor MULTIDOMAIN Zero Trust POLICY without sensical INTEGRATIONS to stitch each enterprise domain together.
Let’s face it, enterprise IT environments don’t simply include infrastructure from a single manufacturer, or even a few key manufacturers. Rather, our Enterprise IT environments are represented by a plethora of IT manufacturers specializing in different niches of IT and the domains they are commonly found in. These environments are managed by different Federal IT organizations, different contractors who support these Federal IT organizations, and many different teams that support each common IT silo. Different teams that support oft-compartmentalized areas like Network Security Operations, Network Operations, Data Center Operations, Institutional Services, Wide Area Networking contracts, Operational Technologies, and dotted lines to different leadership oversight like CIO Programs, CTO Architecture, the Cyber Security Office, and the audit oversight bodies that they are subjected to. Each of these make up a complex support structure that isn’t necessarily streamlined for efficiency.
Summary and Overarching Goals
In articles to follow, you’ll see us referencing the IT Manhattan Project framework several times. Though many details of the framework can’t be discussed due to their sensitivity, the foundational principles are relevant across the board when pursuing intrinsic multidomain Zero Trust.
Establish Visibility (Administration, Telemetry, Assurance)
Define Straightforward Policy Structure and Hierarchy (Auth Chains)
Perform Multidomain Integrations (API Integrations)
Deploy Software-Defined Framework (Day-0, Programmable Fabrics, Multi-OEM Fabric Integrations)
Establish Sensical Automation Runbooks (Day-2 Operations)
We will also explore some areas that deliver unexpected value to the agency business in immediate ways. All of this will help create a cohesive story that helps CIOs, CISOs, and enterprise architects alike communicate the criticality of this multidomain Zero Trust approach to agency leaders across the federal spectrum.
Read More
Government Business
Article | July 11, 2022
On April 8, 2020, the Federal Trade Commission (FTC) – a United States government agency that is the nation’s primary privacy and data security enforcer – issued guidance to businesses on the use of Artificial Intelligence (AI) for machine learning technology and automated decision making with regard to federal laws that included the Fair Credit Reporting Act (FCRA) that regulates background checks for employment purposes.
Read More
Government Business, Government Finance
Article | July 12, 2022
Cities, counties, and states are being forced to upgrade or purchase new technology. The old legacy systems are now inadequate, inefficient, and somewhat dangerous because of their vulnerability to hacking. Many of the old systems are almost completely obsolete. They are unable to accommodate new applications.
In today’s data driven world, technology modernization leads to less cost, increases in efficiency, fewer requirements for human resources, and huge increases in convenience for citizens. Research on numerous capital improvement plans for cities, counties, and states reveals that funding is being allocated for major technology purchases and upgrades throughout the country.
Massachusetts
In a bill just signed by the governor, the Act Financing the General Governmental Infrastructure of the Commonwealth, $660 million has been allocated for information technology (IT) needs. Community colleges are scheduled to receive $140 million for cybersecurity, software, hardware, and infrastructure upgrades. Public schools will be eligible for competitive matching grants from a program that received $50 million. Much of the education funding will be used for access to broadband and other digital learning curricula. The IT funding includes $10 million for a statewide data sharing system for all criminal justice agencies and $10 million for the state’s Department of Health.
Cities and counties in Massachusetts also will receive funding. Sommerville’s need to acquire modern backup IT appliances and disaster and cybersecurity projects will get funding. The county of Berkshire is granted funding for a study to determine the cost of constructing a municipal broadband network. Avon will receive funding to move the township’s financial software to the cloud for increased security, and Easton will get funding for an e-permitting geographic information system and some technology-based service delivery software.
Texas
City leaders in Houston plan to spend millions to upgrade some outdated technology. The current computer-aided dispatch (CAD) system is more than 13 years old and has limited functionalities. The city's public safety department is in need of a new system to efficiently respond to police, fire, and medical calls for services. Funding allocations are outlined in the city’s 2021-2025 Capital Improvement Plan. The public safety CAD replacement is scheduled to receive $1 million, and the city has allocated $2.2 million for new budgeting software.
Nevada
The Las Vegas Public Works Department plans to procure a software solution for the city’s capital improvement project program management system (CPMS). The department is challenged with aging IT infrastructure, reduced resources, and currently, each phase of the CPMS uses separate software applications. This is labor intensive and ineffective. The plan is to have one software solution that tracks and manages all phases of the CPMS, including concept, planning, design, permitting, construction, and closeout. The city has budgeted $350,000 each year from 2021-2025 to complete this project.
Virginia
The city of Norfolk plans to upgrade its Department of Utilities’ billing system at a cost of $2 million. Over two years, city leaders plan to spend $4 million per year to purchase IT infrastructure. Purchases will include public safety radios, courthouse equipment, an electronic health record system, security appliances, a cybersecurity assessment, and upgrades to e-services platform.
The city of Portsmouth will upgrade its financial software beginning in 2021 with full implementation by 2024. The project will include software and hardware upgrades and the streamlining of third-party software. Beginning in 2022, the city will purchase record retention software to house permanent, and eventually all, citywide digital records. Plans also call for updating the city’s public safety records management/computer aided dispatch system at a cost of $900,000. New software will improve mobile computing and analysis tools, management dashboards, and multijurisdictional expandable capabilities for future potential collaborations with surrounding communities.
Pennsylvania
The city of Philadelphia’s Office of Innovation and Technology has a total of $153.6 million in city tax-supported funding programmed over its six-year FY21-FY26 capital program. Of the $22.5 million recommended, $8.67 million is for major upgrades for network infrastructure stabilization and enhancement. Another $13.83 million will support citywide departmental applications. This funding will be used for replacement of an old tax legacy system, a new personnel accountability system for the fire department, an integrated jail management system, and an enterprise resource platform modernization effort for procurement, accounting, and logistics. In 2021, the city also will design and implement a new fare collection system at a cost of $1.54 million to replace or enhance the current revenue collection equipment.
North Carolina
The Forsyth County Board of County Commissioners has approved a 2020-2021 annual budget which includes a $6.2 million enterprise resource planning system. The county’s budget, finance, and human resources software programs are in critical need of replacement. In Chatham County, there are plans to replace the current tax office software at a cost of $1 million, and the current software is being evaluated for new purchases.
Oregon
The city of Salem’s Information Technology Department has announced plans to update its financial system at a cost of $650,000. This upgrade is needed to maintain support of the application and increase functionality. The city also plans to update its enterprise storage array at a cost of $250,000. This equipment is primarily used for enterprise applications including financial services, cash handling, parking, utility billing, police records, and other city records flagged for retention purchases.
There is absolutely no doubt – 2021 will be a good year for companies that have new technology to sell to public officials.
Mary Scott Nabers is president and CEO of Strategic Partnerships Inc., a business development company specializing in government contracting and procurement consulting throughout the U.S. Her recently released book, Inside the Infrastructure Revolution: A Roadmap for Building America, is a handbook for contractors, investors and the public at large seeking to explore how public-private partnerships or joint ventures can help finance their infrastructure projects.
Read More
Article | June 24, 2020
Federal agencies design a wide range of tools, equipment, vehicles and even rockets. Computer-aided design (CAD) technology allows agencies and users to create digital designs more efficiently. CAD is used for a lot more than designing buildings, but is a basic building block of a more advanced tool known as Building Information Modeling, or BIM. CAD can be used to render 2D digital models of products, equipment and buildings. BIM takes those efforts to the next level and serves as a 3D design tool to “create and simulate how a building would operate,” says Andrew Friendly, associate vice president of government affairs at Autodesk, a leading CAD and BIM firm.
Read More