Amid the blizzard of mounting security threats posed by sophisticated adversaries and increased attack surfaces spawned by large-scale telework, most Federal agencies are getting the message and moving strongly toward developing zero trust security architectures.
Agencies on the Move
That’s one of the more hopeful top-line findings from a new study from Merlin Cyber and MeriTalk of more than 150 Federal cybersecurity decision makers who were surveyed to better understand the evolution of momentum, priorities, and challenges around zero trust, feasibility across the five core zero trust pillars laid out by government policy-makers, and differences between civilian and Defense Department (DoD) approaches.
The biggest takeaway: 73 percent of cyber decision makers said their agency is “aggressively adopting” zero trust principles, while another 26 percent are adopting those principles where they feel it makes sense.
Further, 92 percent say recent security policy initiatives – including the Biden administration’s cybersecurity executive order (EO), the Office of Management and Budget’s (OMB) accompanying zero trust directive, and the Cybersecurity and Infrastructure Security Agency’s (CISA) zero trust maturity model – have increased their confidence in implementing zero trust strategies.
But Challenges Abound
While most see their agencies moving in the right direction on zero trust, they also warn that challenges abound for attaining at least some of the government’s stated zero trust policy goals, especially within specified time frames.
On that front, 87 percent of those surveyed believe that the cyber EO and OMB strategy push agencies to move too quickly for effective zero trust implementation. Additionally, 75 percent say that reaching optimum maturity via CISA’s zero trust pillars will be a challenge.
With the bar set high, agencies will need assistance in meeting their zero trust goals, with 96 percent of those surveyed saying they are looking for training support from the Federal government for at least one of CISA’s pillars and 88 percent are looking for vendor support.
Specific obstacles to implementing a zero trust architecture include:
- Centralizing previously siloed security tools – 44 percent;
- Integrating new solutions with legacy systems – 42 percent;
- IT workforce training and staffing – 42 percent;
- Selecting the right vendor solution – 39 percent; and
- Juggling competing priorities of zero trust adoption and daily operations – 36 percent.
Further Policy Refinements
The report also offers recommendations to help agencies reach their zero trust goals including:
- Capitalizing on confidence by reallocating resources and minimizing competing priorities to rally cyber teams around a single purpose;
- Prioritizing future Federal policy guidance around the five pillars, and offering agencies suggestions on customizing for their needs, whether that’s working alone or with private sector help; and
- Considering solutions with zero trust already baked in around core principles like centralized visibility, auto-enforced access controls, and continuous monitoring and integration.
“Public-private sector collaboration will be integral as agencies move from zero trust confidence to competence over the next three to five years,” the report states.
For complimentary access to the survey’s full findings including an extensive rundown of data around work needed to accomplish each of the five pillars, please click here.