From zero trust to strategic partnerships in government: Reflecting on DoDIIS Worldwide 2022

Last week, we attended DoDIIS 2022 in San Antonio. As both exhibitors and attendees, we had the opportunity to make great new connections and learn from some of the best and brightest in the public sector. From moving toward zero-trust architectures to ensuring compliance at the speed of innovation, one theme reigned supreme: collaboration. Whether we’re talking about domestic or international strategy, it’s clear that partnerships are proving to be critical as we move into 2023 and beyond. 

Zero trust is a must

Almost every speaking session that we attended included a discussion of zero trust, which makes sense given the government’s focus on it in the past year. President Biden’s Executive Order on Cybersecurity and the OMB’s memo M-22-09 outline just how critical it is to modernize federal cybersecurity – with zero trust at the helm. As federal organizations continue to progress toward a zero-trust architecture, we got a close look at where they are, where they’re going, and how they plan to get there. 

During their session “Journey to Zero Trust,” DIA officials discussed the DoDIIS modernization plan, which hinges on data security – defining protected data, keeping tabs on who is accessing it, and ensuring that it’s completely secure. “Data is the foundation to everything. It’s the core of what we do,” they said. 

By looking at its existing cybersecurity strategy, the organization has been able to assess what’s working and where gaps exist. Because the DIA is constantly evolving and modernizing through best practices and emerging technologies, it’s important they maintain clear communication and foster key partnerships in both public and private sectors for effective knowledge sharing. For example, their own zero trust project, named Fury, is in close collaboration with DISA and their Thunderdome project. The insights gained from these strategic partners also help the DIA keep an eye on the future. 

As cyberattackers evolve, taking lessons learned from strategic partners is imperative. Whatever they’re seeing now, another agency or industry contact may already have dealt with. Sharing solutions with clear directives from leadership builds a larger culture of cybersecurity that prospers through the entire government ecosystem, which ultimately keeps people and their data that much safer. 

Compliance is cooperative

In the session “Compliance at the Speed of Innovation,” Amy M. Espinoza, Technical Director, USCYBERCOM Intelligence Oversight Program Management Office, further explained that collaboration is the key to success in the race to stay compliant. With federal regulations and requirements being updated on the heels of cyberattacks and technological innovation, organizations must be nimble – and they do that by working together.

We know that development and security professionals are overworked. Invicti’s report with Wakefield Research, “State of the DevSecOps Professional: At Work and off the Clock,” indicated that 50% of these professionals have had to log in over the weekend or on their own time to manage an issue. The public sector is clearly feeling the pain, too.  

“Engineering teams are struggling to keep the lights on,” Espinoza said. “They’re updating architectures, they’re ingesting more data, they’re attempting to plan for the future. On top of that, they also have to secure the network, secure the enterprise, and manage all the data without running into oversight issues. If we collaborate, we can overcome these hurdles and roadblocks.” 

Modern tooling and a closer working relationship between development and security make a difference for stressed-out teams. When leaders put into place tools that have seamless integration and automation, there’s room to innovate and prioritize security from the very beginning while closing critical gaps in coverage.

Looking at 2023 and beyond

It’s no surprise that business as usual isn’t going to cut it as we refine security budgets heading into 2023. Global conflicts will only continue, and government agencies must be prepared from a cybersecurity standpoint. DIA Deputy Director for Global Integration Gregory L. Ryckman used the ongoing conflict in Ukraine to illustrate the importance of proactive planning and utilizing partnerships to nimbly react when necessary. “The reason we were able to [react quickly] was the amazing capabilities of our Ukrainian partners.”

Having the right partnerships in place makes acting quickly easier – it also allows organizations to use partners’ intelligence in advance. Ryckman went on to say, “If you’re not prepared for [a situation] to boil over, then that’s a problem.” Using all of the resources available, including close working relationships with foreign and domestic government agencies, is the only way to remain nimble in this time of global struggle. 

As organizations like the DIA continue to build out their cybersecurity roadmaps, it’s clear that interoperability must be the focal point. “If it’s not interoperable, it’s going to sub-optimize our capability,” Ryckman said. 

Undoubtedly, 2023 is going to be filled with challenges for both the public and private sectors, but that doesn’t mean that there’s no hope. One year since Log4Shell, Invicti’s distinguished architect Dan Murphy predicts that legislation may help government agencies prepare for future cyberattacks, saying: “Guidance from the government has helped communicate to decision-makers that cybersecurity is worth prioritizing.”

For even more insight into what the future may hold for the public sector, check out our AppSec Indicator report dedicated to the government sector.