Migrating with a zero-trust approach remains a top priority for the US in its efforts to minimize the harm caused by cyberattacks.
The U.S. federal agencies are progressing in their adoption of zero-trust network architectures (ZTA), with a focus on moving beyond initial planning to practical implementation and demonstration of zero-trust principles. This is according to Michael Duffy, the acting federal chief information security officer.
Duffy emphasized that while the original timeline for zero-trust adoption set by the Biden administration has lapsed, the foundational expectations remain firm. Agency roadmaps are in place, focusing heavily on architectural aspects and integration with new technologies like artificial intelligence.
Zero trust is not just a technology upgrade but a comprehensive way of thinking and operating to address evolving threats. The next phase involves demonstrating how zero trust can effectively limit damage after system breaches and manage complex environments. This approach aligns with federal directives such as Executive Order 14028 and OMB Memorandum M-22-09, which mandate measurable progress by fiscal year 2027.
Federal agencies have submitted an increasing number of implementation plans, reflecting growing adoption, but face cultural and operational challenges in transforming IT management and integrating security disciplines cohesively.
Zero trust architecture is being framed as a mindset and ongoing practice, requiring agencies to continuously verify trust for every user, device, and system, inside or outside the network, with strong authentication, microsegmentation, and strict access controls. Efforts include aligning with standards like NIST SP 800-207 and CISA’s Zero Trust Maturity Model to structure these capabilities incrementally.
Agencies are also adapting strategies to protect applications and data across diverse environments to counter persistent cyber threats, including those from state-sponsored actors, using automated protection and resilient infrastructure.
Robert Costello, the Chief Information Officer of the Cybersecurity Division at the Cybersecurity and Infrastructure Security Agency, spoke on the panel. He highlighted the need to explain zero trust across the entire community because not everyone is enthusiastic about cybersecurity and IT.
Successfully migrating a network to zero-trust architecture requires broad communication of the value of the changes. The U.S. government is still urging agencies to adopt zero-trust network designs, with the next big push being about demonstrating that zero trust is a way of thinking, architecting, and operating.
In conclusion, the current status underscores progress in architectural planning and increased submissions of agency zero-trust plans, reinforced by a policy environment that mandates zero-trust by default. The main challenges remain in cultural shifts within agencies, operationalizing zero trust principles in legacy environments, and demonstrating tangible benefits amid evolving cyber threats and technological changes.
[1] Source: FedScoop, Zero Trust Adoption: What's Next for Federal Agencies?
[2] Source: White House, Executive Order on Improving the Nation's Cybersecurity
[3] Source: Nextgov, Federal Agencies Struggle to Implement Zero Trust
[4] Source: NIST, NIST Special Publication 800-207: Zero Trust Architecture
[5] Source: MeriTalk, Zero Trust: The Next Frontier for Federal IT Modernization
- The focus on zero-trust network architectures (ZTA) in federal agencies extends beyond technology, as they also aim to manage identity, ensuring privacy and security for all users and systems.
- As zero trust is about continuous verification, federal agencies are working on strict access controls, strong authentication, and microsegmentation, aligning with standards like NIST SP 800-207 and CISA’s Zero Trust Maturity Model.
- In the next phase of zero-trust adoption, federal agencies will demonstrate how this approach effectively manages complex environments, limiting damage after system breaches, and countering persistent cyber threats, including from state-sponsored actors, using automation and resilient infrastructure.
