How the TMF helps agencies pave the way toward zero trust

The Technology Modernization Fund provides agencies with the funding and flexibility to enhance their security processes and accomplish federal cybersecurity goals, many of which come as unfunded mandates, according to the chief information security officer for the Department of Education. 

Steven Hernandez, Education's CISO and director of Information Assurance Services, told FCW the fund is helping his agency finance an enterprisewide zero trust architecture to help maintain its vast trove of citizen data over the next two years. The TMF Board awarded the department $20 million last year after receiving a $1 billion injection through the American Rescue Plan Act. 

“That funding doesn’t necessarily have the same restrictions and the same challenges that, for example, a continuing resolution might have, so there are some new creative ways we can approach it,” Hernandez said at FCW’s DevOps Security Journey webinar on Wednesday. He described the process of applying for a TMF award as “challenging, but in some cases, also a lot of fun.”

The White House’s federal zero trust strategy requires agencies to achieve specific data, identity, device, network application, and workload goals by 2024. The strategy tasks agencies with moving toward a "clear, shared path to deploy protections that make use of thorough data categorization" while employing cloud security services to monitor their most sensitive data. 

“Oftentimes, these actions are coming to us as unfunded mandates,” Hernandez explained, adding that limited appropriations and resources hinder security development, modernization and enhancement across the federal government. “The great news is, we’ve also got some new tools at our disposal.”

Hernandez said his agency worked with the Office of Management and Budget, as well as General Services Administration’s project management office, to create a proposal featuring “big, transformative actions that can have an impact with the public.” 

He described the pitch process as akin to the reality TV show “Shark Tank,” in which entrepreneurs pitch their small business concepts to a group of mega-rich investors, or "sharks," for the opportunity to work with them and potentially build their businesses into major successes. 

“You get 10 minutes to get out there, pitch the big idea and sell it,” he said. “Then they’ve got about 10 to 15 minutes for Q&A, then you cross your fingers and you find out in a little bit if you made it through.”

The Education Department plans to use the TMF funds to fully establish its zero trust program and also create a catalog of services including secure access service edge and security orchestration, automation and response technologies, according to the TMF website. 

Hernandez said other agencies hoping to get their hands on a TMF award should share the citizen’s user experience in their proposals and explain how security will advance it. “That’s a critical part of making it through and getting acceptance,” he said.

The White House is requesting an additional $300 million in its fiscal year 2023 budget request for the TMF, in addition to $65 billion for civilian agency Information Technology (IT) and other major investments in cybersecurity. Leading government technology groups have meanwhile called on congressional appropriators to support those requests, saying the additional funding is crucial to support agencies' zero trust capabilities.