Microsoft’s Federal Security CTO on the Impact of OMB’s Zero Trust Strategy
Last January, the Office of Management and Budget (OMB) released M-22-09, a memorandum that set forth the federal government strategy on zero trust adoption, in an effort to reinforce the security and protection of government agencies’ critical systems, networks, and IT infrastructures.
“A transition to a ‘zero trust’ approach to security provides a defensible architecture for this new environment,” read the memo. “Transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the Federal Government….Agencies that are further along in their zero trust process should partner with those still beginning by exchanging information, playbooks, and even staff.”
In a recent interview at CyberScoop’s Zero Trust Summit 2022, Microsoft’s Federal Security CTO, Steve Faehl, discussed the impacts OMB’s directives are having on not only government agencies, but also on how Microsoft supports its government customers with their zero trust implementation.
Here are three key takeaways from his interview:
Authentication is a zero trust on-ramp
When asked how OMB’s strategy on enterprise-wide identity and access management tool adoption is impacting the cybersecurity work that Microsoft is doing, Faehl responded by explaining that the pushes for centralized authentication and stronger authentication options have enabled agencies to have better visibility into their zero trust posture.
"THE ZERO TRUST JOURNEY REQUIRES MUCH MORE THAN JUST IDENTITY…" - STEVE FAEHL
According to Faehl, the authentication requirements have given agencies a better and easier “on-ramp” to zero trust, starting with identity. If authentication is centralized, it becomes much easier to begin enforcing zero trust controls within government agency networks.
"The zero trust journey requires much more than just identity," said Faehl. "But it’s a great, easy first starting point due to central authentication. What we’re also seeing is that as agencies have centralized authentication, they’re also able to onboard new capabilities faster."
He went on to say that because of the new capabilities authentication enables, resource access requests that previously took days to get approved now only take a few minutes. "It's about that centralized visibility," said Faehl. "But also about being able to move at the speed of mission."
Identify, Isolate, Segment
When asked how well-equipped today’s federal agencies are at identifying and isolating compromised segments of their IT environments – compared to how they were a couple of years ago – Faehl responded by explaining that agencies are learning, “You can’t wait until post-compromise to try and segment your environment.”
According to Faehl, proactive segmentation of compromised environments is a great way to keep adversaries at bay and to give agencies more time to respond as portions of infrastructure are affected at a time.
"That was one of the takeaways from the SolarWinds attack as well," said Faehl. "On-premises resources can be used to compromise cloud. And the cloud is generally a great source of recovery during cyber response. But if you don’t have the right segmentation for administrative roles between on-prem and cloud, that path can be compromised as well and prevent – what would otherwise be – a manageable recovery."
"AS WE’RE GOING FORWARD, SHOWING EVIDENCE AND SHOWING THE RESULTS OF STRATEGY WILL HELP AGENCIES MAKE MORE INFORMED DECISIONS. SO THAT’S SOMEWHERE THAT MICROSOFT IS INVESTING HEAVILY." - STEVE FAEHL
Faehl also believes that agencies have had a lot of progress around particular asset isolation, especially when automated endpoint detection and response (EDR) or other response tools are employed within their networks. "Where we see the most success is not where humans are making the decision to segment, but where that segmentation is automatically done based on risk."
Future of Microsoft’s government investment
As for how OMB zero trust policies are affecting Microsoft’s investment strategies in how it supports the government, Faehl explained that the company is working with the federal government to ensure that the strategies that they’re providing to agencies are aligned with the direction of OMB.
“As we invest in our zero trust strategies, we’re ensuring that we have good coverage and achievable results across all of the pillars of zero trust so that we’re not just focused in one area, but we can quickly align to whatever it is that an agency needs to provide them a path to success.”
Faehl explained that implementing the framework is an iterative journey and that Microsoft wants to not only provide stellar threat intelligence but also support agencies in understanding which areas are worth investing in first so that they get predictable outcomes.
“In this stage of the game, we’re really in a ‘prove it out phase’ with zero trust,” said Faehl. “As we’re going forward, showing evidence and showing the results of strategy will help agencies make more informed decisions. So that’s somewhere that Microsoft is investing heavily.”
Watch the full interview with Steve Faehl.
Learn how Microsoft is supporting the federal government’s zero trust initiatives.
Related Blog Posts
Federal Fiscal Year End, Federal Government, Market Intelligence, Technology
If you have been confused lately seeing multiple March dates with some mention of the federal budget tied to them, you are not crazy. There are in fact multiple budgets floating out there in the ether: some finalized versions for certain agencies, others still awaiting that vote and presidential approval for fiscal year 2024 (FY24), as well as a wholly new request for funding from the President for FY25 priorities. We will catch you up as succinctly as possible, and if FY24 sounds too confusing, read on to hear what’s catching attention across IT for FY25.
Susanna Patten
Cybersecurity, Federal Government, Market Intelligence, State & Local Government
The 2024 United States presidential election is rapidly approaching, and state and local governments are focusing their efforts on bolstering election security and ensuring the proper safeguards are in place.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Cloud Computing, Cybersecurity, Market Intelligence
Originally passed in 2014, the Federal Information Technology Acquisition Reform Act (FITARA) was designed to improve the management of all-things-IT across federal agencies. It essentially realigned how the government purchases and updates its technology, with an aim at grading agencies based on their ability to adhere to and improve on the following categories:
Susanna Patten
Market Intelligence, State & Local Government, Technology
The start of a new year often brings uncertainties; but in 2024 one thing is for certain—artificial intelligence (AI) is top of mind nationwide and is expected to have a transformational impact on our society both now and in the future.
Yvonne Maffia
Federal Government, Market Intelligence, News, Technology
We’re still in the first quarter of the fiscal year and headed toward the holiday season. Historically, that predicates a slower pace across the federal sector, but not this year. This year, artificial intelligence (AI) is having a moment, and nearly everyone across the public sector, including the White House and The Office of Management and Budget (OMB), has something to say about it.
Susanna Patten
Federal Government, Market Intelligence, Technology
The era of heightened environmental awareness calls for decisive action, and the federal government has stepped up to lead this transformative journey. Three federal agencies have carved out significant roles in funding and facilitating environmental remediation technologies: the Department of Energy (DOE), the Environmental Protection Agency (EPA), and the Department of Defense (DoD).
Dawit Blackwell
Federal Government, Healthcare, Market Intelligence, Technology
Modernizing the defense healthcare system has never been more front and center for Defense Health Agency (DHA), the Department of Defense's (DOD) primary arm that manages all things healthcare for military service members and their beneficiaries. With acts of war and terrorism arising from overseas and the possibility of having our troops involved in future conflicts, patient healthcare and service preparedness are top priorities for the agency. So, the DHA is looking to work across federal agencies and industry to strengthen its healthcare systems.
Toan Le
Market Intelligence, State & Local Government, Technology
Numerous reports by various organizations, including the Government Accountability Office, have consistently found insufficiencies in state unemployment insurance programs. These insufficiencies were laid bare during the COVID-19 pandemic when increased need for such services, combined with an increase in fraudulent activity targeting unemployment insurance programs, overtaxed states’ unemployment insurance systems.
Gabriel Zighelboim
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cloud Computing, Cybersecurity, Education, Market Intelligence, State & Local Government, Technology
The annual EDUCAUSE conference highlighted higher education technology trends, goals, challenges, and how to identify a way ahead for higher education institutions to be successful in today’s modern world.
Yvonne Maffia
Cybersecurity, Education, Federal Government, Market Intelligence, Technology
Over the last few months, there have been several recent cybersecurity initiatives at the federal level, aimed at bridging gaps in K-12 cybersecurity policy and strategy.
Yvonne Maffia
Cybersecurity, Education, Federal Government, Market Intelligence, Technology
Over the last few months, there have been several recent cybersecurity initiatives at the federal level, aimed at bridging gaps in K-12 cybersecurity policy and strategy.
Yvonne Maffia
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Cloud Computing, Cybersecurity, Market Intelligence
The Air Force hosts an annual summit known as Department of the Air Force Information Technology and Cyberpower (DAFITC) in Montgomery, Alabama, right next to Maxwell Air Force Base. It’s an opportunity for Guardians, Airmen, academics, and IT industry to come together to discuss pain point remedies and high-level plans and strategies. It is also an opportunity for branch heads to strike deals that lead to the adoption of modern and effective systems, meant to enable air superiority. Ms.
Kevin Shaker
Federal Government, Technology
TD SYNNEX Public Sector Receives a $342 Million U.S. Department of the Navy Enterprise Agreement
for Oracle Software and Services
Doing business with federal agencies has unique opportunities and challenges, particularly when it comes to procuring IT solutions.
On one hand, the U.S. federal government is the world’s largest buyer of IT products and services, so there’s a tremendous need. But acquiring those solutions can be arduous, and managing the intricacies of licensing and pricing can be an ongoing burden.
Darian Mian
Cybersecurity, Internet of Things, IT Infrastructure, Market Intelligence
IoT and Its Impact on Infrastructure and Governance
The Internet of Things (IoT) revolutionizes how governments, organizations, and citizens interact with the physical world. This wave of interconnected devices promises a transformative infrastructure and governmental operations shift. However as the reach of IoT grows, the implications — especially related to security — become even more profound.
Dawit Blackwell
Application Lifecycle, DevSecOps, Federal Government, State & Local Government, Technology
Government agencies strive to lower the cost of products and services to save taxpayers money. They also aim to shorten “procurement administrative lead time,” or PALT—the time from identification of need to delivery of value—to expedite their missions without delay.
Ben Allen
Market Intelligence, Technology
The Market Insights team is closely monitoring the immediate and long-term effects of the debt ceiling agreement, and we'll keep you informed of any updates. Here are our initial observations:
Immediate Impact:
Lloyd McCoy
Application Lifecycle, State & Local Government, Technology
The good news is that we’ve officially moved into the next phase of the pandemic, where the White House expects the threat of serious illness to be considerably diminished. But the bad news? Nearly 18 million Americans stand to lose the Medicaid benefits granted to them during the public health crisis as eligibility determinations return to pre-pandemic guidelines.
Vishal Hanjan
Federal Government, Market Intelligence, Technology
Edge computing is transforming the public sector, providing increased efficiency, better decision-making, and improved services. The use of AI and machine learning is driving the adoption of edge computing in both federal and state/local government sectors. We will be examining what edge computing means for the public sector, explore recent developments and specific federal contracts, and discuss opportunities for information technology (IT) vendors and partners in this growing field.
Dawit Blackwell
Federal Government, Market Intelligence, Technology
This is part of a podcast series where the TD SYNNEX Public Sector Market Insights team provides insights and analysis on IT opportunities across the public sector. This episode features Kevin Shaker, Senior Manager of Lead Gen & Market Intelligence where he discusses the opportunities around, and how to navigate, the federal government’s fiscal year-end. Listen to the full podcast here.
Kevin Shaker
Application Lifecycle, Technology
In successful federal government acquisitions, an agency’s needs are met in the most effective, economical, and timely manner. The key to meeting your acquisition objectives? Proper acquisition planning—which begins well before you write your plan document. In other words, plan first, document later.
Ben Allen
Application Lifecycle, Technology
Whether deploying a ship or a software application, a new acquisition is only as good as its requirements.
Clearly defining your requirements in the RFP results in a less risky contract opportunity, leading to more competition and lower pricing from vendors. All the nuts and bolts of the opportunity—the many small requirements that make up the larger project—need to be captured in a deliberate, methodical fashion. And for transparency into the scope of the acquisition, the complete set of requirements should be shared with all stakeholders.
Ken Valle
Market Intelligence, State & Local Government, Technology
This is part of a podcast series where the Market Insights team provides insights and analysis on IT opportunities across the public sector. This episode features Yvonne Maffia, Senior Market Insights Analyst at TD SYNNEX Public Sector where she discusses how to leverage SLED Fiscal Year End Sales Opportunities. Listen to this podcast episode now.
Yvonne Maffia
Infrastructure, Market Intelligence, State & Local Government, Technology
Welcome to 2023 — an era of modernization where public sector information technology (IT) market growth is dominated by technologies that can create operational efficiencies and enhance the delivery of citizen-facing services. IT leaders are approaching municipality and jurisdictional operations from the lens of optimization, and there is only room for "smart" solutions.
Yvonne Maffia
Market Intelligence, State & Local Government, Technology
Cloud services continue to be a top priority for state chief information officers (CIOs), but the focus has accelerated due to the emergence of digital government and disruptions brought on by the Covid-19 pandemic. Over the last few years, we’ve seen cloud services quickly become a “must-have” for state, local and education (SLED) customers, emphasizing cost savings, scalability, agility, and flexibility.
Yvonne Maffia
Federal Government, Market Intelligence, Technology
Recently, we covered the top highlights and technology pinpoints to hone in on for the DoD’s share of the FY24 federal budget request. We’ll take a look at the civilian side of things as well, spotlighting five agencies in particular that will likely have among the biggest IT projects and initiatives across the federal civilian landscape in the next fiscal year. Spoiler alert – there’s a lot of funding to go around.
Susanna Patten
Federal Government, Market Intelligence, Technology
It’s March again, and that means the madness of the tournament, or rather the federal budget process, has begun. It’s the time of year when the federal government places its bets on priorities and initiatives that will require funding in the coming year(s). We’ll take a look at the Department of Defense’s (DoD’s) specific call-outs, what to watch for, and where you might place your own technologies across the complex landscape of agencies.
Readiness, R&D, and Dominance
Susanna Patten
Cybersecurity, Federal Government, Market Intelligence, Technology
The Department of Navy (DON) recently held its annual WEST Conference, this year with a strong emphasis on cybersecurity. The conference brought together key decision-makers from the Navy, Marine Corps, and Coast Guard, along with experts from various industries and government officials. The discussions were broad-ranging, covering topics related to naval warfare, technology, innovation, and cybersecurity.
Toan Le
Cybersecurity, Federal Government, Market Intelligence, Technology
The Department of Navy (DON) recently held its annual WEST Conference, this year with a strong emphasis on cybersecurity. The conference brought together key decision-makers from the Navy, Marine Corps, and Coast Guard, along with experts from various industries and government officials. The discussions were broad-ranging, covering topics related to naval warfare, technology, innovation, and cybersecurity.
Toan Le
Education, Market Intelligence, State & Local Government, Technology
In recent years, we have seen the rapid growth of esports (electronic sports), or competitive video gaming, with the global esports market already surpassing $1 billion and, according to a recent report from Stratview Research, expected to reach over $9 billion in 2028. Therefore, it should be no surprise that this trend has caught the interest of educational institutions, especially considering over 60% of esports fans are within the age range of the average secondary and post-secondary student, between 13 and 26 years old.
Gabriel Zighelboim
Federal Government, Market Intelligence, Technology
At a recent Armed Forces Communications & Electronics Association (AFCEA) DC luncheon, Defense Information Systems Agency (DISA) Director Lt. Gen. Robert J. Skinner highlighted three key priorities for the fiscal year 2023: posture, position and partnerships. These priorities reflect the agency's ongoing efforts to meet the changing threats of today and secure the future of its information systems.
Toan Le
Cybersecurity, Market Intelligence, State & Local Government
2022 was a noteworthy year for the technology sector, particularly as it relates to cybersecurity. The post-pandemic era of modernization exposed the fragility of U.S. public sector technology infrastructure and systems, widening attack surfaces and posing additional challenges for state, local and education leaders. We have witnessed the whole gamut of continually evolving security threats, ranging from election security breaches, nation-state actors, threats to critical infrastructure, ransomware attacks, hacktivism and more.
Yvonne Maffia
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Cloud Computing, Cybersecurity, Education, Federal Government, IT Infrastructure, State & Local Government, Technology
The Cybersecurity and Infrastructure Security Agency (CISA) has seen increased malicious activity with ransomware attacks against K 12 educational institutions. Malicious cyber actors target school computer systems, slowing access, and rendering the systems inaccessible to essential functions, including remote learning. In some instances, ransomware actors stole and threatened to leak confidential student data unless institutions paid a ransom.
Ransomware attacks on US government organizations cost $18.9bn in 2020.
Asad Zaman
Data and Analytics, Federal Government, Market Intelligence, Technology
The Department of Defense Intelligence Information System (DoDIIS) conference took place in San Antonio, Texas from December 12-15. Its annual gathering of industry and government personnel invites networking, exhibitors and speakers to take on the top IT challenges currently facing the Department of Defense (DOD). Principal Deputy Director of National Intelligence, Dr. Stacy Dixon, spoke to the audience at large regarding data, its challenges, and opportunities within the intelligence community (IC).
Susanna Patten
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cloud Computing, Cybersecurity, Federal Government, State & Local Government, Technology, Tips and How-Tos
TD Synnex Public Sector’s Chief Cybersecurity Technologist, Don Maclean sat down with Mark Guntrip, Senior Director of Security Strategy at Menlo Security, to discuss one of the latest emergent security threats.
James Hofsiss
Cybersecurity, Market Intelligence, Technology
“We must find fresh ways to connect forces, allies, and partners that provide an effective response to the challenge of a highly contested environment not seen in the last 20 years. Given the challenges we face today and in the future, we simply have no choice but to become more interoperable,” said General CQ Brown JR., U.S. Air Force Chief.
Toan Le
Cybersecurity, Market Intelligence, Technology
“We must find fresh ways to connect forces, allies, and partners that provide an effective response to the challenge of a highly contested environment not seen in the last 20 years. Given the challenges we face today and in the future, we simply have no choice but to become more interoperable,” said General CQ Brown JR., U.S. Air Force Chief.
Toan Le
Education, Market Intelligence, Technology
This year’s EDUCAUSE Annual Conference highlighted trends and challenges currently dictating not only policy agendas but also information technology (IT) acquisitions for years to come. In particular, the conference referenced the EDUCAUSE Horizon Report, which addressed key technology trends and priorities impacting IT buying decisions and more generally, the future of teaching and learning.
FY23 Top Priorities
Yvonne Maffia
Cybersecurity
Cybersecurity Maturity Model Certification (CMMC) 2.0 is here. If your company is not prepared, the time to get ready is now, or your company may risk losing business with the Department of Defense (DoD).
The CMMC program requires cyber protection standards for companies in the Defense Industrial Base (DIB) and aims to protect sensitive unclassified information that the DoD shares with contractors and subcontractors.
Don Maclean
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos
Every year, there are more and more security breaches, and it gets harder and harder to spot them. According to a leading cybersecurity vendor1, it takes almost seven months for organizations to find breaches, which gives malicious attackers plenty of time to get what they want.
Most often, system misconfigurations like default settings or credentials leave the door wide open for exploitation, resulting in these breaches. As organizations grow, this problem only gets worse because quick changes frequently result in skipped steps.
Heather Sweet
Cloud Computing, Cybersecurity, Technology, Tips and How-Tos, Training
Security is paramount in the digital age, especially when it comes to keeping networks secure. Having network security monitoring services stand between your organization and malicious attackers is crucial. Still, the volume of alerts and issues that come with them can easily overwhelm your team.
The volume of these alerts is rising every year too. According to a report by TrendMicro, 54% of teams surveyed felt like they were drowning in alerts, and 27% said they spent most of their time dealing with false positives.
Heather Sweet