Sean Connelly Shares How Zero Trust Modernized Federal Cybersecurity
The Cybersecurity and Infrastructure Security Agency (CISA) is at the forefront of defending the U.S. critical infrastructure from evolving cyber threats. It’s also been a key player in helping the federal government evolve its cybersecurity from a traditional perimeter-based strategy to a modern Zero Trust approach.
In a recent episode of The Segment: A Zero Trust Leadership Podcast, I sat down with a leading architect behind this shift to Zero Trust: Sean Connelly, former director of CISA's Zero Trust Initiative. He offered a look into the transformative changes in federal cybersecurity, the evolution of network perimeters, and practical advice for anyone embarking on a Zero Trust journey.
Keep reading to get a recap of our discussion.
About Sean Connelly
Sean is a leading figure in federal cybersecurity, playing a crucial role in shaping initiatives at CISA over the past decade. He advanced the Zero Trust cybersecurity model, essential to the federal government's defense strategy. He also led the development of the first Zero Trust Maturity Model and co-authored the NIST Zero Trust Architecture.
Earlier this year, he launched the CISA Zero Trust Initiative Office to provide government agencies with the training and resources they need to strengthen their cybersecurity measures.
How CISA helped modernize federal cybersecurity
In the mid-2000s, federal agencies’ networks were growing quickly, and network connections to the internet had increased to an alarming number. The attack surface was growing. Sean recognized that the federal government needed to find a way to reduce risk across the federal government.
Sean and the CISA team partnered with other U.S. cybersecurity agencies to create the Trusted Internet Connections (TIC) initiative in 2007. The goal was to limit the number of gateways on the government networks. It requires all federal internet traffic to be routed through a TIC-approved agency.
Initially, the focus was on securing the network perimeter which depended on a traditional hub-and-spoke networking model. But over time, federal cybersecurity leaders like Sean realized they needed a more decentralized, data-focused approach with the rise of cloud and mobile technology.
“Even back then, Cisco and the Jericho Forum mentioned the need for deep perimeterization,” he explained. “One of their commandments was, ‘The more you can put security close to the data, the better it is.’ And that makes sense, right?”
TIC evolved to 2.0 and eventually 3.0 which now encourages agencies to adopt cloud services and Zero Trust to secure against today’s complex threat landscape. TIC 3.0 focuses on a more flexible, risk-based approach than previous versions of TIC program.
Sean called TIC 3.0 a “new journey” for federal cybersecurity. It led to a greater balance between data security and network security. This was also a key milestone in the federal government’s adoption of a Zero Trust approach.
Building CISA’s Zero Trust Maturity Model
An important part of this “new journey” was giving agencies practical information on building Zero Trust. Zero Trust required a mindset shift for agencies, but agency leaders also needed tactical details on how to get Zero Trust done.
Sean led CISA’s efforts to create the Zero Trust Maturity Model (ZTMM), published in 2021. The ZTMM is one of the most important roadmaps that federal agencies can use as they move towards Zero Trust.
The ZTMM is a major landmark in the federal government’s Zero Trust adoption. This is because it provides a common language for agencies as they create their Zero Trust plans. Sean had recognized the need for precise guidance when it comes to building Zero Trust. At the time, every agency had a different understanding of Zero Trust. It was causing confusion about what Zero Trust looked like in practice and how it applied to federal security mandates. He noted, “You can put language into policy, but agencies still want to know, ‘Is this what you really mean?’”
After releasing the first version, CISA joined other cyber agencies and SMEs to go agency by agency to discuss their Zero Trust progress and maturity. This resulted in 100+ meetings, including those with vendors, academia, and international governments. CISA added this feedback to the second version of the ZTMM, published in 2022.
“It has resonated,” Sean said, reflecting on the number of times he’s seen the ZTMM’s mountain graphic in presentations and articles. “I think the tease, though, is when you get to the summit of that mountain, it's really a mountain range.”
Sean emphasized that Zero Trust is never complete; it’s an ongoing journey. “We'll move the flag, we'll move the goalposts at some point as tech evolves,” he explained. “We always need to be adding new ways to build Zero Trust.” To that end, Sean sees the ZTMM as a living document that should continuously reflect the current state of cybersecurity.
5 steps to Zero Trust
According to Sean, if he were to walk into a meeting with people just beginning their Zero Trust journey, he’d recommend they start with the NSTAC Zero Trust report. This guide, created alongside John Kindervag, the creator of Zero Trust and Illumio’s Chief Evangelist, outlines five steps for building a Zero Trust program.
Here's a breakdown of the five steps we discussed:
- Define the Protect Surface: Identify what needs protection.
- Map transaction flows: Document data and communication flows within your organization, including system, client-server, and organizational interactions.
- Build the architecture: Develop a data-centric security architecture with security measures close to the protected assets, utilizing signals from the network, host devices, and identity.
- Create dynamic policies: Establish adaptable policies that respond to changing conditions, considering client-server and organizational interactions.
- Manifest, monitor, and maintain: Build, continuously monitor, and maintain the Zero Trust environment to ensure ongoing security and compliance.
Listen, subscribe, and review The Segment: A Zero Trust Podcast
Want to learn more? Listen to the full episode with Sean on our website, Apple Podcasts, Spotify or wherever you get your podcasts. You can also read a full transcript of the episode.
We'll be back with more Zero Trust insights soon!