Lawrence Hale, who recently took over as Acting Deputy Assistant Commissioner for Category Management, Office of Information Technology Category at the General Services Administration’s (GSA) Federal Acquisition Service, explained today that his office’s fiscal year 2023 priorities focus on helping Federal agencies work toward easier cloud service adoption and continued progress in zero trust security migration.
Speaking at an event organized by ATARC, Hale said “we are working real hard” on the cloud special item number (SIN) on the IT schedule to help improve how agencies can respond to cloud adoption imperative in the Biden administration’s cybersecurity executive order issued in May 2021.
“We’re working on setting up something on top of the cloud SIN to improve the ease of use, to improve the ability to acquire cloud, and buy cloud the way industry buys its cloud,” he said.
“Government regulations … sometimes make it complicated to consume cloud in the way that our cloud service providers want to sell it,” he said. “So we’re working to try and ease that process and build in the compliance that’s necessary at the same time.”
“Watch this space for our cloud activity as we as we work through that,” Hale said.
Zero Trust Priority
Another major priority continuing into FY2023, Hale said, is helping agencies with their zero trust security migrations as mandated by the cybersecurity executive order. Others include “rolling out pretty much anything ‘as a service … or X-as-a-service,’” improving equity in procurement by helping small businesses get access to government customers and focusing on improving customer experience.
On the zero trust front, Hale talked about GSA’s work with the Cybersecurity and Infrastructure Security Agency (CISA) on a zero trust buyer’s guide “to help agencies assess where you are on your zero trust journey and, and determine what the most important next steps are.”
“Zero trust is not a destination, zero trust is a constant journey, zero trust is a change in philosophy,” he said, adding, “it’s how we deal with what we have and how we protect what we have.”
In support of agencies’ migration to zero trust architectures, he said GSA is particularly focused on cyber supply chain risk management, including standing up an acquisition community of practice for that area.
“We work in partnership with CISA to expand cyber requirements across all the best-in-class contracts – those at GSA and the other best-in-class contracts,” he said. “And we maintain the Highly Adaptive Cybersecurity Services (HACS) SIN … since a lot of the services necessary for implementing zero trust are available on the HACS SIN,” Hale said.
“In addition to that, we’ve included the Cybersecurity Maturity Model Certification (CMMC) as an option in some of our GWACS,” he said. “That allows industry to opt-in if you have a CMMC, or are working on a CMMC … you can include that in your offerings on the GWACs, and agencies who want to access companies who are certified in CMMC then can use those vehicles to access those companies.”
“We see that as a great opportunity to help improve the cybersecurity to bake it in, not make it optional,” he said.
Hale also emphasized that while getting agencies to zero trust security architectures is the “gold standard” of end results, “getting to zero trust doesn’t mean you throw out everything you have and start over on cybersecurity.”
“The cybersecurity programs and cybersecurity tools that you have in place, for the most part, can be built into your zero trust architecture,” he said.
“It is most important to assess what you have, identify your high-value assets, and then work on that zero trust architecture, perhaps retooling in certain areas, but also making sure that the tools you have are used in a zero trust way so that you know who’s accessing what, every single time – not one time and you get in forever – but every single time,” Hale said.
In particular, he pointed to tools that agencies already use as part of CISA’s Continuous Diagnostics and Mitigation (CDM) program, and said those “can be used for that, they’re a good foundation to build your zero trust architecture on top of.”