VA CIO says a zero trust ‘North Star’ is essential to secure veteran data 

VA CIO Kurt DelBene said the department is moving forward with zero trust adoption, calling it vital to its mission.

VA CIO Kurt DelBene said the department is moving forward with zero trust adoption, calling it vital to its mission. EJ Hersom / DOD

VA Chief Information Officer Kurt DelBene told Nextgov/FCW that the department “faces a unique challenge” in adopting zero trust because of the need to secure veterans’ personal information. 

The Department of Veterans Affairs has “made significant progress” toward adopting a zero trust model, the department’s chief information officer recently told Nextgov/FCW, with VA focusing in large part on efforts to safeguard veterans’ sensitive data. 

In emailed comments, VA CIO Kurt DelBene said zero trust adoption is particularly vital for the department’s mission, since it “enables us to know who has access to veteran data, and how and when they accessed it.”

In addition to VA’s vast IT network — which includes more than 500,000 desktops, 2,000 different physical locations and over 1,000 systems — DelBene said the department also “faces a unique challenge that other federal agencies simply don’t encounter, in that we’re charged with protecting millions of veterans’ data.

“Nowhere else is there a more complex landscape than the cybersecurity landscape of an organization like VA,” he added.

To enhance the security of veterans’ data and departmentwide systems as part of its approach to zero trust, DelBene said VA is leveraging “cybersecurity telemetry and analytics” to provide greater insights on its digital operations.

“This is a critical capability in an agency with as many endpoints and users as VA because those users and devices must demonstrate solid cyber hygiene before we take the next step of direct authentication to applications,” he said. 

DelBene said VA is “guided by a zero trust North Star,” with the department using federal guidance and regulations as an initial framework for securing its systems and veterans’ data. 

President Joe Biden issued an executive order in May 2021 that directed all federal agencies to develop a plan for implementing zero trust strategies. The Office of Management and Budget subsequently issued a memo in January 2022 that, in part, required agencies to undertake a series of steps by the end of fiscal 2024 “intended to form a starting point to implementing zero trust architecture.”

Since the release of Biden’s executive order, DelBene said VA “has made significant progress in transforming the department’s cybersecurity posture from traditional perimeter-based protection to one based on zero trust principles.”

He cited the notable strides VA has made “on our first goal of enforcing strong identity verification,” with the department implementing multifactor authentication for more than 90% of VA user accounts through the use of personal identity verification cards.

As of February 2023 — the last month for which VA was able to provide data — DelBene said the department had met 27% of the requirements in Biden’s executive order and 50% of OMB’s zero trust strategy. 

But he noted that Biden’s order and OMB’s guidance are “a set of baseline expectations,” with the VA’s strategy — dubbed “Zero Trust First” — comprised of seven goals that align with the Cybersecurity and Infrastructure Security Agency’s zero trust maturity model, as well as additional zero trust-focused efforts to secure the department’s IT supply chain. 

And when it comes to adopting emerging technologies and automated tools to bolster existing departmentwide services, DelBene said VA is “updating and standardizing” its automation and orchestration initiatives with a “new and comprehensive” plan tied to its zero trust efforts. 

“We continue to work with industry leaders to implement new or enhanced automated capabilities to deploy across VA,” he added. “We’re working to ensure that access to VA resources from ‘nonhuman’ end points (e.g., machine-to-machine communication) are strictly controlled.”