Notice ID: OS316725
The Department of Health and Human Services (HHS) Office of the Chief Information Officer (OCIO) is conducting market research for Program Management Office (PMO) support services for the department wide Zero Trust Architecture (ZTA) implementation.
HHS is currently working on a department wide ZTA implementation in response to Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, and Office of Management and Budget (OMB) M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. EO 14028 initiated the Government-wide effort to ensure that baseline security practices to migrate the Federal Government to a ZTA and to realize the security benefits of cloud-based infrastructure while mitigating associated risks. As stated in EO 14028, the term “Zero Trust Architecture” means a security model, a set of system design principle, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. A transition to a “zero trust” approach to security provides a defensible architecture for this new environment. Furthermore, OMB M-22-09 set forth a Federal Zero Trust Strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.
HHS has developed the Department Zero Trust Strategy Implementation Plan. While a few OpDivs within HHS have Zero Trust Maturity (ZTM) plans in place, HHS is just beginning to align resources to a department wide Zero Trust Strategy. Many of the skills and technologies required under ZTA already exist in HHS but putting all the components together requires HHS to significantly upgrade governance and Information Technology (IT) management, and more deeply integrate teams and technologies. Furthermore, achieving these goals in a cost-effective manner challenges the financial governance structures that exist since HHS component agencies and sometimes programs are independently funded. HHS expects that strategy, governance, and resources alignment over time will drive the consolidation of control points, data planes and supporting capabilities so that modernization efforts will envelope and eventually retire legacy technologies, and new services can be on-boarded.
OCIO OIS is gathering information around establishing and maintaining a Program Management Office (PMO) Support to assist with the implementation of the department wide ZTA initiative.
TASK SCOPE AND OBJECTIVES
- OCIO OIS is conduction market research on establishment and maintenance of a PMO support to assist with the implementation of the department wide ZTA initiative. The capabilities of interest are:
- Identify existent Zero Trust capabilities and gaps in each OpDiv:
- Engage with each OpDiv to review documentation and key artifacts to recognize current zero trust status and implementation plans.
- Develop use cases to conduct assessments against CISA’s ZTMM version 2 within each OpDiv.
- Conduct assessments, document results, and propose solutions to mitigate gaps.
- Communicate and share results with Government stakeholders.
Develop and maintain a ZTM scorecard:
- Develop ZTM score rating based on CISA’s ZTMM version 2.
- Assign ZTM scores to each OpDiv based on result of assessments.
- Develop a process for monthly or quarterly updates of ZTM scores to measure OpDivs’ progress against implementing zero trust capabilities.
Establish an enterprise ZTA roadmap:
- Collaborate with HHS to develop an enterprise road map.
- Align Zero Trust goals of each OpDiv with the department wide goals.
- Identify possible technical solutions that can be offered at the enterprise level based on individual OpDiv assessments.
- Draft a high-level implementation plan and suggest recommended technologies that can be used at the enterprise level.
- Develop a risk register to identify and track program risks.
- Provide a secure test and data environment to enable the testing of multiple products to support ZTA. HHS is exploring for use in proof of concepts:
- Develop and implement a methodology for iteratively assessing new tools and technologies to enable zero trust capabilities.
- Coordinate with Government the development of a list of tools for testing.
- Develop use cases.
- Create pilot demonstrations.
- Document pilots’ results and provide recommendations showing what additional capabilities are achieved and what shortcomings are eliminated.
- Establish reporting mechanisms for financial activities to provide monthly reports to OMB:
- Develop a process to collect information from OpDivs on execution of funds to implement zero trust capabilities.
- Gather monthly data and submit reports.
- Improve budget investments for each OpDiv:
- Use results of zero trust assessments to develop report to prioritize budget investments.
- Identify cost-saving opportunities…
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.