Labor Department moves toward zero trust

Labor Department CISO Paul Blahusch detailed how his agency ramped up its implementation efforts around zero trust in recent months, from establishing an entirely new team to proposing a project for the Technology Modernization Fund.

United States Department of Labor in Washington, DC Editorial credit: Mark Van Scyoc /

The Department of Labor was forced to go back to the drawing board and develop a new implementation strategy around zero trust after the White House released its cybersecurity executive order in May, according to the agency's Chief Information Security Officer Paul Blahusch.

Blahusch provided details at FCW's cybersecurity workshop on Wednesday about how the Labor Department quickly began reorganizing to accommodate the order's aggressive deadlines, including the goal of developing an agencywide plan for zero-trust architecture and implementation within 60 days.

"We had our work cut out for us," he said. "We couldn't have people just doing it in their spare time. We need a dedicated team."

Blahusch recruited a team to begin assessing the agency's cyber posture and to determine what it would take to ultimately achieve zero trust, enlisting at least six officials from within the Labor Department and its network of contractors to focus on the project.

The team proposed 21 strategic initiatives -- complete with detailed timelines -- after interviewing agency officials who worked on IT, analyzing potential weaknesses and identifying seven zero-trust components: device, network, data, analytics, microsegmentation, penetration testing and workload protection. Its initiatives were all designed with the intention of closing the gap between the agency's current cyber posture around zero trust and the target state the administration outlined in its executive order this summer, Blahusch said.

Many of the Labor's zero-trust cyber initiatives were included in a project proposal it recently submitted to the Technology Modernization Fund. The TMF Board has called for agencies to send in funding requests for projects meant to address urgent cybersecurity needs, including zero-trust implementation strategies.

Overall, the department is slated to spend $819 million on IT in fiscal year 2021. Its most recent audit under FISMA (the Federal Information Security Modernization Act) identified three areas for improvement -- configuration management, identity and access management and data protection and privacy. Overall, Labor failed to achieve the passing level of "managed and measurable" in three of the five assessed cybersecurity functions: identify, detect and recover.

Federal CISO Chris DeRusha, who also spoke on Wednesday at the FCW workshop, said a "paradigm shift" was required at most agencies in order to create multiyear investment and implementation plans for zero trust, while echoing the TMF Board's calls for new proposals around cybersecurity.

While the administration was still planning to release key guidance around zero trust, DeRusha said agencies should move forward with their own plans and submit TMF proposals -- "given the state of affairs we're in and the number of events we are experiencing" in terms of cybersecurity.

"I don't think agencies need to wait if they're ready to submit something," he said. "If they're not and they need more guidance to understand what success might look like, I can tell you that guidance will be coming soon."

The board received 108 project proposals from 43 federal agencies, Federal CIO Clare Martorana said at a House hearing last month, after the TMF received a $1 billion investment in the American Rescue Plan. Of those proposals, Martorana said at least 75% were focused on cyber issues.