Nearly two-thirds – 63 percent – of Federal mission and IT officials surveyed earlier this year believe their agencies are on track to meet the Office of Management and Budget’s zero trust security targets by the end of Fiscal Year 2024, according to new research published today by General Dynamics Information Technology (GDIT).
The research findings – which draw on input from 300 Federal officials split evenly between IT and program managers – also reveal that 76 percent say their agencies have a formal zero trust strategy in place, and that 52 percent are actively implementing those strategies.
Overall, 92 percent of those surveyed said they are confident in their agency’s ability to defend against cyber threats.
OMB’s zero trust implementation guidance issued to Federal civilian agencies in January requires agencies to achieve a specific list of zero trust security goals by the end of FY 2024. Those goals are organized around the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA) and are focused on five pillars identified by CISA – identity, devices; networks; applications and workloads; and data.
In March, Federal CISO Chris DeRusha delivered an upbeat assessment of Federal agencies’ initial progress in putting the OMB guidance to work as part of the larger goal of executing on President Biden’s cybersecurity executive order issued in May 2021.
The new research findings from GDIT tracks with those sentiments, but also point to challenges that Federal agencies are facing in executing on the OMB guidance.
Most of the officials surveyed – 58 percent – said that one of the primary challenges to implementing zero trust architecture is rebuilding or replacing existing legacy IT infrastructure.
An even 50 percent of those surveyed reported having trouble identifying the technologies that they need to execute on the OMB guidance, and 48 percent said their agencies lack some sufficient IT staff expertise for the task.
On the legacy issue, Dr. John Sahlin, GDIT’s cyber solutions director, Defense, commented, “when some agencies still have data on mainframes or legacy systems, it’s a big challenge.” He continued, “agencies know they can’t bolt on zero trust, so they must decide to rebuild or replace systems. That requires additional spending on top of investing in zero trust. Agencies have to make some hard decisions.”
“There are expansive sets of guidelines and standards that agencies must comply with – it’s hard not to be purely compliance-driven,” commented Matt Hayden, who recently joined GDIT as the company’s vice president of cyber client engagement, and had previously served as assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security.
“While the investments agencies are making now are important to achieving their zero trust strategies, they must also focus more on the mission value of IT. The key is to focus on mission enablement and usability, ultimately going beyond meeting compliance requirements,” Hayden said.
“This zero trust report shows that Federal agencies are making great progress to strengthen their cybersecurity defenses,” added Dr. Mathew McFadden, GDIT’s vice president, cyber. “Zero trust principles need to be implemented throughout the organization and must be embraced by business and IT stakeholders to establish a successful strategy that drives cyber resiliency and supports the organization’s mission,” he said.
ZT Accelerator, Tech Stacks
Speaking with reporters upon the release of the report today, McFadden talked about how GDIT is working with Federal agencies on their zero trust migrations.
“We’ve been very involved in the zero trust space early on,” he said. “Our focus has really been how do we accelerate agencies’ efforts as much as possible.”
“So with that, we launched a zero trust accelerator, and our goal was to provide the right expertise to help drive these efforts,” McFadden continued. “With that, we helped build an enablement kit to be able to help enable adoption. Some of the things that we have include a technology roadmap [and] we’ve been helping with some of the assessments … taking a look at core particular pillars and providing recommendations and guidance for best practices.”
“We are a very large systems integrator, and we have a very extensive background and knowledge of how zero trust is being implemented across government, so we tried to really take those lessons learned and apply those,” he said. “Ultimately, we want to accelerate the adoption of zero trust as much as possible.”
Sahlin added that GDIT is in the process of “developing a zero trust solutions stack that we offer to our clients.”
“It’s actually what I would consider a bootstrap program to accelerate time to value for zero trust,” he said. “We’ve mentioned before, one of the challenges that IT providers found is navigating the morass of different technologies that are out there and finding the right one for them.”
“What we’ve been focusing on is partnering with technology providers – like our partner Appgate – to say what is best of breed in each of the elements of zero trust from a mission perspective,” Sahlin said. “The viewpoint that we are taking is a day in the life of a mission.”