Where do federal agencies stand with zero trust implementation?
One year after the president’s executive order on improving the nation’s cybersecurity, federal agencies are making steady progress toward their zero trust security goals, according to a study commissioned by General Dynamics Information Technology (GDIT), a business unit of General Dynamics. But agencies also face several challenges and know there is still more work to do.
The study surveyed 300 federal officials from civilian and defense agencies to understand the progress toward the cyber executive order and Office of Management and Budget’s zero trust standards and objectives. Of the 300 officials, 60% work in a federal civilian agency and 40% in a defense agency.
The executive order requires government agencies to achieve specific zero trust security goals by the end of fiscal year 2024. According to the study:
- 63% of respondents said their agencies will meet these requirements on time or early.
- 92% are confident in their agency’s ability to defend against cyber threats.
- 76% have a formal zero trust strategy in place, with 52% actively implementing one.
But, with such a major undertaking against an ambitious timeline, challenges remain.
- 58% said one of the primary challenges to implementing zero trust architecture is rebuilding or replacing existing legacy infrastructure.
- 50% are having trouble identifying what technologies they need.
- 48% think their agencies lack sufficient IT staff expertise.
“When some agencies still have data on mainframes or legacy systems, it’s a big challenge,” said Dr. John Sahlin, GDIT’s cyber solutions director, Defense. “Agencies know they can’t bolt on zero trust, so they must decide to rebuild or replace systems. That requires additional spending on top of investing in zero trust. Agencies have to make some hard decisions.”
Top priorities for federal agencies when implementing zero trust
Digging deeper, the research examines agencies’ investment priorities. Over the next year, these priorities align with a compliance-focused approach to implementing zero trust. Nearly all respondents note their top priorities are device protection (92%) and cloud security (90%). However, investments in micro segmentation to reduce the attack surface and artificial intelligence to facilitate granular data protection are lagging at 51% and 47%, respectively.
“There are expansive sets of guidelines and standards that agencies must comply with – it’s hard not to be purely compliance-driven,” said Matt Hayden, GDIT’s vice president of cyber client engagement, who previously served as assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security.
“While the investments agencies are making now are important to achieving their zero trust strategies, they must also focus more on the mission value of IT. The key is to focus on mission enablement and usability, ultimately going beyond meeting compliance requirements.”
“This zero trust report shows that federal agencies are making great progress to strengthen their cybersecurity defenses,” said Dr. Mathew McFadden, GDIT’s vice president, cyber.
“Zero trust principles need to be implemented throughout the organization and must be embraced by business and IT stakeholders to establish a successful strategy that drives cyber resiliency and supports the organization’s mission.”