Federal Agencies are Making Progress on Zero Trust but Challenges Remain
By Dr. Matthew McFadden, Vice President, Cyber, General Dynamics Information Technology (GDIT)
A little over a year ago, the Biden administration issued the Executive Order (EO) on Improving the Nation’s Cybersecurity, which set a common objective for all agencies: adopt security best practices to advance toward Zero Trust Architecture. Zero trust is a cybersecurity framework developed around the concept of “never trust, always verify.” It requires all users, whether they are inside or outside an organization’s network, to be continuously validated to access applications and data.
Extensive guidance about zero trust implementation followed the EO, including an OMB zero trust strategy memo, technical reference architectures, and the Cybersecurity Maturity Model from the Cybersecurity and Infrastructure Security Agency (CISA).
To assess progress and identify continuing pain points on the journey toward zero trust, GDIT’s Cyber Practice conducted industry research by surveying 300 federal leaders (60% civilian and 40% defense) who are influential in the IT decision-making process. The report found solid momentum around zero trust planning, some misconceptions about zero trust, and some anticipated implementation challenges.
Zero Trust Momentum
Seventy-six percent of respondents reported their agency had a formal zero trust plan in place or in the works. Two-thirds said they will meet federal zero trust requirements on time or ahead of the fiscal year (FY) 2024 deadline; another 21 percent will come close to meeting the requirements by then.
Approximately half of the respondents are building their zero trust implementation using CISA’s Zero Trust Maturity Model, a roadmap to assist agencies in the development of their zero trust strategies and implementation plans. This model is built around five core pillars: identity, device, network, application workload, and data.
Using the pillars in the maturity model as a framework to assess maturity levels, most respondents reported that they are either currently at a traditional or advanced maturity level; few have reached the optimal level. Respondents are most mature in the data and identity pillars. Nearly all said their top future investment priorities are device protection (92 percent) and cloud services (90 percent). Six in ten believe they will be able to continuously run device posture assessments (e.g., using endpoint detection and response tools) by the end of FY24.
Zero Trust Misconceptions
The survey results also identified some misconceptions about the benefits of zero trust, pointing to the need for continued education about the concept and its implementation. For example, respondents said the top benefit (57 percent) of a zero trust approach is that the right users have the right access to the right resources at the right time, but only one quarter said granular data protection at rest and in transit is a top benefit. In order to provide the right access to data and applications at the right time, agencies must coordinate with internal stakeholders, other agencies, and non-governmental organizations to provide the access that employees need. A granular data protection scheme is required.
Furthermore, less than half (42 percent) of respondents said a top benefit of zero trust is reduction in the cyberattack surface. This is surprising, and it seems to reflect a fundamental misunderstanding of the zero trust concept: Because users are only granted access to the applications and data they need, the impact of any breach is limited. Essentially, micro-perimeters are created around each user’s resources; attackers can only go so far.
Zero Trust Implementation Challenges
The survey also highlighted hurdles in the zero trust journey. More than half (58 percent) of respondents said the biggest challenge to implementing zero trust is that existing legacy infrastructures must be rebuilt or replaced. Many of these legacy systems rely on implicit trust, which allows bad actors to gain broad access to agency systems following a breach.
Perhaps not surprisingly, 46 percent said costs are a concern. Replacing legacy systems will require significant investment. At the same time, half of respondents said they are having trouble identifying what technologies they need. This suggests that IT teams are not always collaborating closely with program managers. Improving collaboration between mission owners and IT teams will ensure stronger alignment between the mission and cybersecurity technology implementation, making it easier to know which tools to choose.
Zero Trust and Agency Missions
The journey to zero trust will be different for every agency. It will depend on the technology that is already implemented, the agency’s mission requirements and current cybersecurity posture, agency and contractor staffing, and more.
The survey data suggests that agencies are working to meet the aggressive zero trust implementation deadlines laid out by the White House, but lack of resources and fundamental gaps in understanding may hinder their progress. To overcome these challenges, agency IT teams can:
- Partner with mission owners to understand the impacts of data and services on each mission. Understand what data they rely on, where it lives, and how they use it
- Identify digital assets and how cyber compromise of those assets would affect the agency mission. Prioritize security controls based upon the importance of the asset
- Demonstrate quick wins by optimizing current infrastructure. Identify applications and services that can transition to zero trust through configuration changes and policy updates
- Then, look for incremental zero trust projects that provide the greatest value relative to the mission, regardless of which zero trust pillar they fall under
Zero trust is a not just a cybersecurity strategy, it’s also a mission enabler. Its primary value is in improving agency missions by providing data and services to the people who need them, right when they need them. By partnering with mission owners, systems integrators, and taking an incremental approach to zero trust that focuses on the greatest value to the mission, IT teams will ensure not only compliance with zero trust requirements, but also mission success.
About the Author
Dr. Matthew McFadden, Vice President, Cyber, GDIT. Dr. Matthew McFadden spearheads cyber strategy for GDIT, leads cyber research and development, and develops advanced cyber solutions for the Federal Civilian, Defense, Health, Intelligence and Homeland Security markets. He represents a cyber workforce of more than 3000+ professionals, 30+ commercial cyber partners and programs supporting some of the largest, cyber missions in the federal government sector.