Federal government agencies both big and small have been working on their migrations to zero trust security architectures for the better part of three years now, but how can anyone outside of those agency tech shops tell how well they are doing so far?
For answers to those questions and some pro tips from perhaps the top expert in the government’s march to zero trust, we’re highlighting some recent progress news from Federal tech leaders and some of the best public resources to track going forward.
We are also checking in with Sean Connelly, who now is the executive director of global zero trust strategy and policy at Zscaler, but until earlier this year was Trusted Internet Connections (TIC) program manager and zero trust initiative director at the Cybersecurity and Infrastructure Security Agency (CISA) – and perhaps the Federal government’s number-one zero trust evangelist.
Progress Data Emerging
Last month, Federal CIO Clare Martorana reported that Federal government agencies have been making strong progress on their journeys toward adopting zero trust security architectures, with some agencies achieving more than a 90 percent rating so far.
Speaking at the Billington CyberSecurity Summit in Washington, Martorana offered that the 24 CFO Act agencies – the government’s largest – “are all in the high 90 percent range” of expected progress, while “across the entire ecosystem … metrics are telling us that we have moved from 81 percent to 87 percent completion rate for agencies on that journey.”
While she did not elaborate on the precise definition of those goals, the Office of Management and Budget’s (OMB) M-22-09 policy issued in January 2022 requires agencies to achieve a specific list of zero trust security goals by the end of fiscal year (FY) 2024.
Two iterations of CISA’s Zero Trust Maturity Model issued in June 2021 and April 2023 also guide agency action and focus on five pillars – identity, devices, networks, applications and workloads, and data.
Another likely contributor to those figures is the 2024 Report on the Cybersecurity Posture of the United States issued in May 2024 by the Office of the National Cyber Director (ONCD) and billed as the “first-of-its-kind” data roundup on “how the nation is addressing the challenges and opportunities we face in cyberspace.”
Along with the upbeat report on zero trust progress, Martorana also counseled that “every agency … is [on] a journey” and that zero trust “is not a destination. You don’t get to a place called zero trust and it’s unicorns and rainbows.”
Where Else to Look?
Another set of important zero trust progress data could be emerging soon – though perhaps not in a public forum – as about 100 Federal agencies are due to offer updates to progress in response to OMB’s Memo 24-14 issued on July 10.
That memo – signed by both OMB Director Shalanda Young and National Cyber Director (NCD) Harry Coker – lays out the Biden administration’s “cross-agency cybersecurity investment priorities” for FY 2026.
The memo mirrors the five pillars of the Biden administration’s National Cybersecurity Strategy, and says that agencies’ FY2026 cybersecurity budgets should reflect those five pillars: defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals.
“Sustained investments across these five pillars are critical to mitigate cybersecurity risks and should be addressed within the FY 2026 Budget,” Young and Coker wrote in the joint memo.
Agencies had 120 days to provide OMB and ONCD with their input, meaning the due dates are likely sometime this fall.
Another tried and true place to look for top-line security spending trends is within congressional appropriations legislation. Digging into the particulars of those bills may show some concrete figures for cybersecurity requested and/or approved cybersecurity spending, while others may reference zero trust work in general but not provide a budget number for it.
Sometimes senior Federal officials will help out with that math, as did former Federal CISO Chris DeRusha when he said that the FY2024 ask on zero trust appropriations would total about $12 billion.
An Expert’s View
Zscaler’s Connelly told us it’s best to keep an eye on both OMB and ONCD for future clues on how the zero trust effort is going. He noted that ONCD was a brand-new office in 2021 but is now staffed up and highly involved in the Federal cybersecurity policy space.
He called Martorana’s assessment of zero trust progress in September “very positive in terms of the momentum toward the identity pillar” of zero trust and the network pillar.
“There’s been focus and drive to help agencies with their zero trust efforts and what really makes this different is the top-down leadership push,” he said. “You had the National Security Advisor Jake Sullivan and his team talking to their peers at the cabinet levels, the assistant directors, deputy directors … and you really need top-down interest,” Connelly said.
“The Technology Modernization Fund [TMF] is also a good place to look” for zero trust developments, Connelly said.
He recalled that the fund made substantial awards in 2022 to the Department of Education, General Services Administration, and the Office of Personnel Management for zero trust work.
“The TMF may be welcoming new Board members soon, alongside the recent hire of Larry Bafundo as the new TMF Program Manager,” Connelly said. “It’s an ideal time to realign priorities and explore how we can better support agencies at various stages of their zero trust journey.”
Outside of the government sphere, Connelly also recommended that zero trust followers keep an eye on the Cloud Security Alliance, which he said is funded by technology vendors and is doing some focused zero trust work.
“They’ve got a lot of working groups right now focusing on each of the [zero trust] pillars themselves, so that would be a good organization to pay attention to,” he said.
Asked whether the current zero trust policy needs any updating, Connelly offered no firm prediction, but said there may be room for a “next-gen” update of the current maturity models to reflect different stages of maturity and to take into account advances already made in the journey.
He also said that some agencies will continue to face problems with advancing on zero trust as long as they are running legacy IT architecture, especially on critical systems. “There just needs to be some resources put into helping migrate and rearchitect these legacy systems,” he said.
Finally, Connelly recommended that zero trust progress trackers invest time in listening to the Federal agency tech leaders who often speak about their progress at public events.
“If people ask me how do I track zero trust, I would say anytime you can hear a Federal CIO from 10 feet away talk about what they’re doing with zero trust, go to that event, because that person might actually give you a clue,” Connelly said.
