The Department of Veterans Affairs is taking a proactive approach to cybersecurity. In partnership with GDIT, the agency is adopting zero trust principles to protect against ever-growing cyber threats and position the VA for long-term resiliency.
Like other federal agencies, the VA has until the end of fiscal year 2024 to meet zero trust requirements as mandated by the Office of Management and Budget, following President Biden’s Executive Order on Improving the Nation’s Cybersecurity.
As the federal government’s second largest agency after the Department of Defense, the scale and breadth of the VA poses challenges with zero trust implementation. The Veterans Health Administration is the largest integrated health system in the United States, serving more than 9 million veterans. VA also operates nearly 2,000 facilities including hospitals, clinics, pharmacies and regional offices.
The enormity of the agency naturally extends beyond buildings and people. Veterans, dependents and caregivers interact with the VA daily through direct contact at medical centers, clinics and regional offices and through VA service centers and self-service applications.
The VA stores vast amounts of data, such as veterans’ service records - which validate eligibility of benefits to veterans and their families - as well as their service treatment records. And VA’s clinical and business staff use millions of devices to deliver benefits to our veterans, making device security a critical component of the zero trust implementation.
To carry out the initiative, GDIT collaborated with various VA teams representing the five pillars of zero trust: identity, devices, networks, applications and workflows, and data. GDIT is employing a phased approach to assess and roadmap the VA’s path to a mission-aligned zero trust security posture.
Phase 1 is a cybersecurity assessment. Through discussions and collaboration with the VA, GDIT analyzed the VA’s current baseline against the Zero Trust Maturity Model developed by the Cybersecurity and Infrastructure Security Agency (CISA). These measurements enable better understanding of the present state of the VA’s cybersecurity posture and helps identify gaps.
Phase 2 is a technical roadmap that defines the VA’s target architecture and offers a set of recommendations to help the organization advance toward a more mature zero trust environment. This roadmap is a living document, updated as the VA’s security posture evolves.
Phase 3 is a movement to isolation architecture. GDIT offers services related to use cases and implementation plans to assist VA system owners and teams to migrate their applications to more secure environments.
GDIT referenced its well established Everest Zero Trust solution to support the agency in its implementation of a zero trust architecture. GDIT Everest Zero Trust is a tailorable solution designed to accelerate mission objectives by providing dynamic access to only the data and services where and when they are needed and securely sharing information.
With extensive experience performing cybersecurity assessments for other federal agencies— including the Department of Energy, Environmental Protection Agency, and the United States Patent and Trademark Office – GDIT has the expertise to identity the VA’s current baseline and any gaps in security.
“The journey toward zero trust is a marathon, not a sprint. Our role is to be a reliable partner and guide the VA in this transformation, prioritizing resources so it can make significant progress in the shortest amount of time.”
One of the biggest changes required by zero trust is moving away from firewall, perimeter-based architecture and instead placing perimeters around each application. Access is granted based on users’ identity, device, network, location, and other factors. This shift in philosophy puts data at the heart of the architecture, which means modifying processes, workflows, and systems across all five pillars of zero trust.
“Implementing zero trust can be a challenging road in terms of technology, but it’s an exciting opportunity for organizational change,” said Paul Simon, GDIT program senior director and VA business area lead. “Zero trust requires authentication and authorization for every application that a user accesses on a continuous basis. That will enhance how the VA conducts business, and how employees and customers access the VA’s systems.”
For example, while VA employees currently use multi-factor, phishing-resistant authentication, GDIT’s roadmap extends an equally high level of security to the agency’s customers: veterans.
The roadmap also lays out plans for another important aspect to zero trust: autonomous cyber defense. By leveraging AI and machine learning capabilities, the VA can achieve real-time visibility into the organization’s security posture, allowing for continuous monitoring and automated threat detection.
“The journey toward zero trust is a marathon, not a sprint,” Simon said. “Our role is to be a reliable partner and guide the VA in this transformation, prioritizing resources so it can make significant progress in the shortest amount of time.”