Zero Trust Architecture (ZTA)
At its core, Zero Trust Architecture is simply about your Users, Devices, and Privileges. There’s nothing terribly complex about it, but how you verify your users, validate your devices, and strictly define user privileges can be executed in myriad manners. From the beginning of our Federal Student Aid (FSA) contract in August 2021, Zen has provided the key support and personnel for planning and executing the Zero Trust Architecture (ZTA) strategy. Our focused work is committed to meeting specific cybersecurity standards and objectives by the end of Fiscal Year 2024, reinforcing the Government’s defenses against increasingly sophisticated and persistent threat campaigns. And with our most recent contract win, we will expand our vital ZTA work to include the same support to the United States Citizenship and Immigration Services (USICS).
The Zen Approach
The ZEN Security Engineering Team works diligently to support ZTA by maintaining configurations and inputs (logs) from across the FSA Enterprise, thereby validating devices. Additionally, our team addresses critical gaps to implement Multi-Factor Authentication (MFA), thereby verifying users, and Role-Based Access Control (RBAC), defining privileges, to secure FSA systems and environments in terms of authentication and encryption. Furthermore, the Zen team collaborates with FSA to provide critical support to the preparation, execution, and maintenance of ZTA across the FSA Enterprise to significantly strengthen the overall security structure and efficiency of FSA cyber operations.
Zen Team Cooperation
Our Zen SE and FSA SOC teams have worked closely with guidance from CISA and the Federal Risk and Authorization Management Program (FedRAMP) to evaluate encryption options to meet the objective of protecting FSA against sophisticated phishing, and consolidate identity systems so that protections and monitoring can be consistently applied. These actions ultimately enable FSA to detect malicious cyber activity on their networks, resulting in quicker threat response and vastly improved information sharing across FSA and the greater Department of Education – including the EDSOC, NGDC, and the 6,000 elements under the advisement of the Institutions of Higher Education Division (IHE).
High Value Assets (HVAs)
Every Organization has HVAs
Every organization has HVAs, but how they operate and safeguard them is different. For U.S. government agencies, BOD 18-02 dictates specific processes and procedures to determine HVAs, schedule their detailed assessments, and maintain appropriate security levels. Furthermore, the Cybersecurity and Infrastructure Agency (CISA), responsible for BOD 18-02 execution, designates two different levels of HVAs, one of which the target agency must evaluate internally with CISA-trained and qualified assessors.
Not Every Organization has Qualified HVA/RVA Assessors
Zen Strategics has built out an ecosystem critical to the success of performing cyber assessments, providing national level data views that inform risk reduction and help strengthen national cybersecurity posture. Our program is available for individuals affiliated with government entities and in the private sector and with out CISA-trained and qualified assessors will evaluate:
- High Value Asset (HVA)
Assess the HVA security architecture to identify technical concerns that could expose the organization to risk
- Risk and Vulnerability Assessment (RVA)
Collect data through on-site assessments and combine with national threat and vulnerability information to provide an organization with actionable remediation recommendations prioritized by risk and known threats in the environment
ZEN will Guide your Organization through the BOD 18-02 Jungle
Zen assessors will ensure a correctly developed assessment is conducted for your HVAs, focused on the system specifications and nuance, not through a cookie-cutter approach. Throughout the process, our Team will maintain communications, delivering updates and observations in a timely manner, and with the utmost respect for your daily operations. All findings and process documentation are provided and we ensure all recommendations to address findings and maintain compliance are fully incorporated into our follow-on engagements.
Most federal agencies face an inefficient security operations environment. The many years of rapid change in federal IT security infrastructure, combined with the changing and new reporting requirements of agencies have led to the acquisition of a broad security toolset. Federal cyber executives now find themselves with too many tools, costly overlaps in many tool capabilities, and gaps elsewhere. The result is technical debt, where significant labor costs are driven simply by operating and maintaining an agency’s existing set of security tools. Zen Strategics assists organizations with developing, implementing, and maintaining the technologies, methodologies, and processes to defend against targeted attacks and advanced persistent threats. We build dynamic, robust, adaptable, and automated security architectures that protect data, resources, and personnel.
We offer organizations the opportunity to align their cyber offerings with the dynamic changes in policy, priority, and the cyber threat landscape. With up-to-the-minute policy and market expertise, Zen Strategics helps clients through competitive intelligence and innovation, leading to successful investment and outcomes. Working with federal and investment organizations, we assist with keeping in line with the latest trends, technologies, and ‘best fit’ solutions in the cyber landscape.
Security Compliance & RMF Services
Our proven methodology of implementing Program and Systems Security Requirement Traceability Matrices (SRTMx), provides Assessment and Authorization (A&A) for complex, existing systems for ongoing authorization. Performing an initial gap analysis and evaluating security controls using National Institute of Standards and Technology (NIST) procedures, Zen Strategics performs Continuous Monitoring (CM) for our clients, leveraging our experience with automated testing tools on both strategic and tactical levels.
In compliance frameworks such as FedRAMP, FISMA, DIACAP/DoD RMF, NIST/RMF, and SOC, we enable public and private organizations to successfully navigate complicated regulatory landscapes. With experience in providing customized, risk-based solutions that address our clients’ unique advisory and assessment needs, we have supported Whitehouse & OMB cyber initiatives to include development and reporting of FISMA metrics that all agencies are responsible for implementing as part of the ISCM mandate.
Continuous Monitoring & Network Security/Risk & Vulnerability Management
Zen Strategics has a proven record of success helping organizations implement continuous monitoring programs. We provide access to industry leading solutions with a unique ability to design, implement, and integrate these solutions into operational environments, enabling high-performance security programs. With over 7 years of working with DHS to create the mandate and policy that the 24 CFO act agencies comply with, we are the insiders and best advisors to your Continuous Diagnostics and Mitigation plans. Zen Strategics uses proven National Institute of Standards and Technology (NIST) compliant methodologies for risk and vulnerability management. Our approach starts by capturing the flow of existing risk management policies, procedures, and security baselines, adding modular components as needed to support management and decision-making. With innovative, unique, and customized continuous diagnostics and mitigation (CDM) solutions, our clients are provided technical engineering and operational/program security support for integrated, modernized systems that leverage contemporary cloud solutions.