Federal CIO Clare Martorana said today that Federal government agencies have been making strong progress on their journeys toward adopting zero trust security architectures, with some agencies achieving more than a 90 percent rating so far.
Speaking at the Billington CyberSecurity Summit in Washington, Martorana was asked to share details on how Federal agencies are doing with achieving zero trust goals.
While she did not elaborate in her remarks today on the precise definition of those goals, the Office of Management and Budget’s M-22-09 policy issued in January 2022 requires agencies to achieve a specific list of zero trust security goals by the end of FY2024.
Those goals are organized around the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA) that is focused on five pillars – identity; devices; networks; applications and workloads; and data.
Asked to describe progress and successes by agencies in their zero trust journeys, Martorana said today that the 24 CFO Act agencies – the government’s largest – “are all in the high 90 percent range.”
“Across the entire ecosystem … metrics are telling us that we have moved from 81 percent to 87 percent completion rate for agencies on that journey,” she said.
“But every agency … is [on] a journey” Martorana said, emphasizing that zero trust “is not a destination. You don’t get to a place called zero trust and it’s unicorns and rainbows.”
“It is a journey that we have to be on, and that also requires consistent funding,” she continued, adding, “Our budgets are a challenge.”
The Federal CIO said the zero trust push “greatly benefited” from an infusion of cash into the Technology Modernization Fund (TMF) in 2021. “Eighty-three percent of our investments in TMF went to cybersecurity, helping agencies get on the path to zero trust,” she said.
She said TMF funding helped three Federal agencies to pursue zero trust architectures quickly and then share lessons learned back with Federal tech officials and other agencies.
Speaking of those agencies, Martorana said, “we kind of had a high performer in with a modern tech stack, a more classic organization that had done some modernization … and a third agency that was really dealing with an extraordinary burden of a lot of legacy IT.”
“Watching those three agencies move rapidly, share that knowledge and … acquisition and even procurement language” was helpful “so that we were able to understand what worked [and] what didn’t work” in the pursuit of zero trust security architectures.
The move to zero trust, Martorana emphasized, “is a continued journey that the government is going to go through for many years, but I could see real progress.”
“And I think the most important thing is the cultural change that has happened” around the transition to zero trust security, she said.