The relentless and increasingly sophisticated cyberattacks on federal agencies have led to one simple truth: Agencies can no longer implicitly trust the users, applications, and devices on their networks. With clear marching orders from the 2021 Cybersecurity Executive Order (EO), zero trust is now more than a buzzword for federal agencies; it’s an essential security posture.
Although the EO offers agencies a fresh opportunity to evaluate their cybersecurity posture through the lens of zero trust, implementing zero trust is another matter. Federal agencies rely on multiple generations of hardware and software assets distributed across physical, virtual, and cloud environments, and any progress toward zero trust must be done in flight without any impact on the agency’s mission or degradation of the agency’s security posture and capabilities.
As federal agencies progress in their journey toward zero trust maturity, questions abound. What are the priorities and challenges? What impacts are initiatives like OMB’s Federal Zero Trust Strategy and CISA’s Zero Trust Maturity Model having on agency efforts? Which zero trust pillars are taking precedence – and which ones are falling behind? Are there significant differences between Federal Civilian and Department of Defense (DoD) priorities? Most important, what roadblocks are likely to impede progress?
To find the answers, we commissioned a study with MeriTalk to survey 151 U.S. Federal Civilian and DoD agency security leaders – and the results are in:
78% of federal cybersecurity decision-makers feel a strong sense of urgency for implementing a zero trust architecture
92% say recent initiatives such as the EO, OMB’s strategy, and CISA’s maturity model have increased their confidence in their agency’s ability to implement zero trust
Federal agencies undoubtedly see the value in zero trust, but there’s no one-size-fits-all approach or solution. With no consensus on – or formal adoption of – a zero trust maturity model, the path to zero trust varies. Prior infrastructure investments, budgets, and varying levels of cybersecurity knowledge and staffing combined with agency mission all influence priorities and how an agency is likely to move forward.
The data bears this out:
52% of Civilian agencies think enabling safe and robust use of cloud services is their most important zero trust goal, but DoD agencies view it as far less important (38%)
Intelligent automation is the most important zero trust goal for DoD agencies (49%), but significantly less important for Civilian agencies (31%)
While DoD and Civilian priorities differ, identity is the one area where they agree. With 71% of respondents choosing identity as their agency’s most important zero trust pillar, identity is priority one for implementation – and for good reason. Zero trust is a pessimistic view of the network where nothing is trusted and everything is authenticated. This may seem obvious given the threat landscape, but it is a departure from the security viewpoint of the past, where users were trusted once they were on the network. These days, where it’s vital to enforce trust beyond the network at a more granular level, identity plays a critical role.
Beyond rethinking identity, the transition from legacy infrastructures and technologies to a zero-trust environment introduces a range of challenges. While respondents are feeling more confident about zero trust in general, many have concerns about the feasibility of OMB’s FY24 goals. Not only do 87% feel the EO/OMB pushes agencies to move too fast for effective zero trust implementation, but 75% say reaching optimum maturity will be a challenge – particularly within the devices and networks pillars. Agencies say they’ll need the most help with tool consolidation, legacy integration, and continued zero trust education and only about one in 10 feel they have the support needed to achieve optimal zero trust maturity.
The good news is that implementing zero trust does not start from “point zero.” Neither does it require a wholesale rip and replace of existing security infrastructure. Instead, zero trust focuses on evolving technologies and improving select areas of infrastructure over time. Moving to a zero trust posture is a marathon, not a sprint, and while agencies can’t modernize legacy systems overnight, cloud solutions with baked in zero-trust capabilities, like auto-enforced access controls and continuous monitoring, may help bridge the gap. Lastly, with 95% of DoD agencies and 92% of Civilian agencies seeking vendor support for at least one zero trust pillar, public-private partnerships will be key to success.