Why Agencies Largely Remain in the Pilot Phase of Zero Trust

In working with the many players that serve the federal government — tech companies, government agencies and federal system integrators — White finds that most people identify zero trust as the No. 1 technology issue.

Yet it’s already been two years since the executive order. Where do federal agencies stand in their zero-trust journeys? The government mandates gave agencies the impetus to shift to zero trust, and set cybersecurity standards and objectives to meet by the end of the 2024 fiscal year.

EXPLORE: Why zero trust needs to be a goal, not just a mindset.

Federal Mandates Accelerate Adoption, But Challenges Remain

White facilitated a working group that collaborated with federal agencies on implementing zero trust. The group was formed to help expedite progress on the cybersecurity executive order. White says it made progress on developing zero-trust roadmaps, maturity models and strategies for agencies.

Some data suggests that adoption is strong in the public sector. Government agencies are implementing zero trust faster than corporations. Seventy-two percent of government respondents report that they already have a zero-trust initiative, compared with 55 percent of corporate respondents, according to a 2022 Okta report. Yet federal agencies are playing catch-up with threat actors and need to accelerate implementation.

“The bad guys are moving faster than the good guys,” White says.

White and Michael Epley, chief architect and security strategist at Red Hat and part of IBM’s working group, identified several reasons why implementation isn’t happening faster. One of them is the lack of a holistic approach to cybersecurity.

“For many years, we built solutions in a piecemeal fashion,” Epley says. “We focused on point solutions and were often in a very reactive mode. Sometimes those were effective, and sometimes they weren’t. It’s always been a challenge to take that and build more holistic strategies around it.”

Click here to learn more about zero-trust and IT modernization within the government.

Agencies also didn’t receive an in-depth implementation roadmap from the government. While the 2021 executive order prioritized zero trust, it didn’t provide a holistic solution, Epley says. He adds that zero-trust guidance from organizations such as the Cybersecurity and Infrastructure Security Agency will continue to improve, but as of now gaps remain.

Communication was another challenge. There was no zero-trust lexicon, so organizations weren’t on the same page when it came to terms, acronyms and phrases associated with a zero-trust model.

“We had no common language,” White says.

Another issue is that threat actors have access to the same emerging technologies and tools that agencies have, and the former don’t need to adhere to regulations, budget limitations or production cycles.

EXPLORE: What agencies should know about establishing zero trust in a hybrid work environment.

Closing Gaps in Zero-Trust Implementation

IBM’s working group collaborated with agencies to mitigate these zero-trust challenges. White says the group started by creating a basis to help organizations address implementation. This included establishing a zero-trust lexicon and helping agencies develop effective maturity models and roadmaps.

To White and Epley, the key to catching up on zero-trust implementation going forward is to take a holistic approach to cybersecurity. Zero-trust roadmaps should no longer be the CISO’s sole responsibility but instead a broader mandate that empowers every member of an organization, White says.

“The thing that’s happening in the shifting landscape is that security isn’t just another initiative,” she adds. “It’s built into everything that we’re doing.” 

Adds Epley: “Our goal is to focus on improving that holistic posture as opposed to reverting back to approaches that are more reactive, more point-oriented, that we may have done in the past.”