The Office of Management and Budget’s (OMB) Federal Zero Trust Strategy turned two years old on Jan. 26, and officials from several private sector firms that are helping Federal agencies put zero trust security in place are giving solid marks for progress thus far, and emphasizing the need for further gains as the threat environment grows more complex.
“The two-year anniversary of the Federal Zero Trust Strategy highlights the incredible progress we’ve made as a nation in prioritizing cybersecurity, along with the National Cyber Strategy reinforcing that mandate,” said Stephen Kovac, Global Chief Compliance Officer at Zscaler.
“With the upcoming September deadline for agencies to meet initial cybersecurity requirements, some are further along their zero trust journey than others,” Kovac said. “It’s clear there’s still a tremendous amount of work that needs to be done to ensure all agencies have a foundational zero trust architecture in place for a resilient and secure cyber posture. This demands cohesive government and public-private collaboration, to leverage shared insights, efficiencies, and innovation.”
“Federal agencies have made solid progress towards achieving the goals set forth in the Zero Trust Strategy – particularly around policy development, identity and access management, and segmentation,” agreed Gary Barlet, Federal Field CTO at Illumio.
“The zero trust Federal mandates have accelerated the adoption of modern security techniques,” said Matt Hayden, vice president of cyber and emerging threats at General Dynamics Information Technology (GDIT). “Across the Federal government, there are more security logs being monitored and leveraged to build up defenses and increase resilience.”
While giving credit to agency efforts over the past two years, those officials also are turning their eyes to work that remains ahead.
“The work is far from done,” said Barlet. “Zero trust implementation remains an ongoing process – and in the face of competing priorities, rising threats and increasing budget limitations, it is crucial for Federal agencies to continue to prioritize security goals alongside other organizational objectives.”
Zscaler’s Kovac pointed to key officials who will be instrumental in further zero trust gains.
“We applaud the appointment of Eric Mill, as the executive director for cloud strategy in the General Services Administration’s Technology Transformation Services division,” he said. “With his proven leadership with the Federal Zero Trust Strategy and FedRAMP program, he will be an instrumental resource for agencies in advancing their cloud security and zero trust adoption.
“We also appreciate the work of Cybersecurity and Infrastructure Security Agency’s Sean Connelly and his team for publishing the Zero Trust Maturity Model, and the Zero Trust Architecture that NIST published as 800-207,” said Kovac. “This work helped shape the Federal Zero Trust Strategy, advocating and guiding agencies to update their zero trust security architectures.”
“While things are definitely better, there is more work to be done,” Hayden said. “We still need to improve vulnerability management and leverage new technologies to approach machine speed level defenses. At GDIT, we believe zero trust is foundational to improving Federal agencies’ cyber resiliency and we are actively partnering with them to implement their zero trust transformations.”
Getting a solid handle on the promises and challenges of artificial intelligence (AI) technologies is also looming large, the officials said.
“We have witnessed a profound transformation in zero trust principles, largely attributed to the acceleration of AI-driven advancements,” said Gary Hix, Chief Technology Officer at Hitachi Vantara Federal. “The foundational tenets of zero trust, like least privilege and continuous verification, have been bolstered by AI’s capabilities in contextual analysis and adaptive risk assessment.”
“Cybersecurity is an ever-changing landscape, and the process of zero trust integration is no exception to this evolution,” Hix continued. “Legacy systems continue to present a hurdle, demanding meticulous adaptation to align with zero trust’s dynamic security requirements, often leaving them susceptible to vulnerabilities.”
“The dichotomy between stringent security measures and user experience also remains a critical concern,” he said. “Balancing the necessity of continuous authentication with seamless user interaction is a delicate equilibrium we strive to achieve while safeguarding productivity.
“Looking ahead, emerging threats and the dangers posed by AI, will continue to redefine the cybersecurity landscape and regulations, and make the implementation of zero trust more vital for our infrastructure and digital security,” Kovac added.
Through a wider angle lens, Hix said, “Zero trust is only as robust as effective compliance. The linchpin to a resilient infrastructure is education, involving the education of employees, contractors, and third-party entities in cyber hygiene practices that bolster a strong security posture for a safer and more secure digital environment.”
“Agencies must prioritize small, incremental steps to ensure continual progress towards zero trust,” said Barlet. “Through quick wins, agencies can strike a balance between resilience and meeting other organizational priorities, all while fostering a scalable and pragmatic approach to cybersecurity.”
“For example, turning segmentation efforts into smaller projects – starting with agencies’ most critical and vulnerable resources first and blocking high risk ports enterprise wide – can yield more immediate impact in terms of strengthening agencies’ overall cybersecurity posture, helping them achieve important goals with limited resources,” Barlet added. “The most critical thing is to keep moving forward and continue to make progress on the zero trust journey.”