FBI Considers Zero Trust Architecture
Authorizing official weighs its application with existing FBI platforms.
The Federal Bureau of Investigation (FBI) has a unique role as a federal law enforcement agency as well as a national security department. Its vast information technology enterprise must support its functionality in carrying out these roles, which have different rules of engagement. And when adding new tools, processes or software, the bureau has to consider solutions carefully. With zero trust architecture—a method that combines user authentication, authorization and monitoring; visibility and analytics; automation and orchestration; end user device activity; applications and workload; network and other infrastructure measures; and data tenants to provide more advanced cybersecurity—gaining use in the U.S. government, especially in the Department of Defense, the FBI is considering how zero trust architecture could work in its enterprise infrastructure.
The bureau’s authorizing official that approves its systems has a security perspective from the outset. In his role as the so-called AO, James Allen examines the cybersecurity elements for each tool under consideration. “I get to look at all the security elements for each system that we're trying to bring to the front, or the systems that we currently have online,” he explained, speaking virtually at the AFCEA Quantico-Potomac Chapter luncheon on January 28. Allen holds a doctorate of science degree in cybersecurity from Capitol Technology University and master’s degrees in both information systems management and public administration.
Allen, who retired from the U.S. Navy as a chief petty officer after 22 years of service, is closely examining how zero trust architecture applies to the overall mission capabilities of the FBI. “I'm still looking at how that would be and I'm going to look at it from a security point of view, and how does this fit in our current security world,” the AO stated. “What are those vulnerabilities when you start to bring the protection deeper into a network, and you are connected to areas that are not as secure and how well have you looked at that to make sure that you don't have any back end vulnerability attack vectors.”
The bureau is at the beginning stages of how zero trust architecture will work in its specific enterprise systems. They are working with officials in the Defense Information Systems Agency, or DISA, who are constructing a reference architecture for zero trust for the military’s environment. In August, the National Institute of Standards and Technology, or NIST, issued its zero trust guidelines.
“We're talking with our DISA partners to understand how they're looking at it,” Allen said. “We're reviewing some of the documents that they have provided, including the NIST documents.”
However, it is not just seeing how zero trust can be a digital component, the AO emphasized. The bureau has to examine how the tool fits into policy regulations, auditing and privacy controls, for example. “We're just now beginning to explore that zero-trust network concept and how it may or may not fit into what the FBI's mission is, but also how does it fit into policy regulations, Allen stated. “There's all kinds of elements that could impact that. And we're just now getting into that to make sure we have an understanding of how it fits together and make sure we're doing the right thing specially when it comes to policy.”