Q&A: Cisco VP Mike Witzman Calls for Greater Convergence of Federal Cybersecurity Solutions

FEDTECH: Everyone is buzzing about FedRAMP 20x. What are your early takeaways, and where do you see opportunity for both the federal government and its contracting partners?

WITZMAN: While it’s still early, FedRAMP 20x looks very promising. It brings us back to the original goal of FedRAMP, enabling agencies to adopt cloud services securely and more quickly. In cybersecurity, bad actors don't have limitations on time or access to resources. If it's available, it's available to them immediately. Bad actors don’t wait for red tape. So, anything that helps the government access cloud security innovations faster is essential.

There’s also a push for real-time updates and continuous monitoring, which is where most of the magic happens in cyber hygiene. Moving toward machine-readable formats could automate data exchange and reduce the human workload, allowing teams to focus elsewhere.

Shifting toward industry-led compliance is another important step. Long-term, the biggest opportunity is to align multiple compliance frameworks across federal agencies. For industry, we can solve once for, say, public safety or critical infrastructure and apply that across verticals. On the customer side, they often have to run through different audits that overlap to maintain compliance. Overall, the goals are solid, and industry engagement has been strong.

FEDTECH: FedRAMP has faced criticism for being slow and labor-intensive. Do you see faster innovation as a central benefit of the 20x model?

WITZMAN: Absolutely. Government often struggles with limited workforce and budget, so reducing costs and speeding up access to innovation is critical, especially in a fast-moving space like cloud and software. Shifting to industry-led compliance and machine-readable formats enables automated validation of security requirements, speeding up authorization without compromising security. So yes, it’s definitely a worthy goal.

FEDTECH: Cisco emphasizes Network as a Service in the federal space. How do you see security fitting into that picture?

WITZMAN: NaaS is sometimes used broadly to refer to cloud-managed networks, hardware as part of the subscription, or to a fully managed service. Federal agencies want the flexibility to choose the best model for their mission or workforce, and to manage technical debt better with more predictable spending models over time.

We’re seeing a shift toward platforms, whether for networking or security. A platform should offer visibility, extensibility and built-in capabilities without requiring constant bolt-ons. You should be able to expand platforms up and down as your needs change. NaaS is a great example. It includes built-in zero-trust security features such as segmentation, encryption and monitoring, along with automation of key tasks like software patching. That’s critical because staying current on software is still one of the most essential steps in cybersecurity.

SD-WAN is another proof point, with embedded firewall, intrusion prevention and segmentation, plus extensibility to cloud-based security service edge for a full secure access service edge solution. So, you're not only securing your network today but also creating a flexible, extensible foundation for future capabilities.

Click the banner below for the latest federal IT and cybersecurity insights.

FEDTECH: Zero trust played a big role in securing remote work. How do return-to-office mandates impact cybersecurity posture, and did remote work prepare us?

WITZMAN: There were definitely some positive developments in the past few years. Remote work actually increased user vigilance and accelerated zero-trust adoption. But hybrid environments are more complex. They demand that users understand how to connect securely based on where they are, which increases risk. The more paths we ask users to navigate, the more room there is for error. Do they know what looks right each time? It also places a burden on IT because the team has to manage policies for each of those different modes.

We want a single, consistent user experience so any deviation is obvious and can be flagged. It’s also easier for IT when policy management is unified. That’s where universal zero-trust network access, or universal ZTNA, comes in, blending cloud and on-premises security into one seamless architecture.

When users have a consistent experience and IT has fewer policy points to manage, we get deeper, more granular policies. It’s like digging two deep holes instead of 10 shallow ones. Fewer management points mean better enforcement, and merging architectures enables this holistic approach.

FEDTECH: Identity and access management ties directly into ZTNA. What’s your perspective on where the federal enterprise stands and where it can improve in this space?

WITZMAN: Credential theft is still the leading cause of breaches, so identity management is fundamental. We’ve made progress; things like biometrics and passwordless authentication not only increase security but are also easier for users to adopt. That’s a win-win.

But we’re also moving toward identity threat intelligence and dynamic risk scoring. It’s no longer just who you are, but also what, where, when and how. Device posture and vulnerabilities change constantly, so we need real-time assessments and dynamic risk scoring that reflect the posture of the organization.

And after granting access, we need continuous monitoring. AI-driven behavioral analytics help detect unusual user behavior, but we also need to monitor nonuser devices — sensors, robots, autonomous systems — as they become more mobile and dynamic. These devices must be protected and monitored as potential attack vectors. And the important part is the network plays a dual role for those devices, both protecting them from bad actors but also monitoring them as potential launch points if a bad actor is able to compromise one of them.

LEARN MORE: AI-enhanced attacks require increased vigilance.

FEDTECH: Where should civilian federal agencies focus their cybersecurity investments right now?

WITZMAN: The basics still matter — patching, multifactor authentication, endpoint protection, robust encryption. But we also need automation and AI to scale operations. We are at the point where things happen faster than a human can respond, and we need AI to help manage those systems. The window between a vulnerability being published and exploited gets smaller every day, and generative artificial intelligence tools have lowered the skill barrier for attackers.

Agencies need to prepare for zero-day threats with real-time policy adaptation but also to keep their systems updated. Tabletop exercises and information sharing, via Information Sharing and Analysis Centers, are also critical for getting ahead of situations before you experience them yourself. Cybersecurity is a team sport. We have to play the sport before the incident happens. If we haven't, it's not going to go nearly as well.

Beyond the basics, agencies should simplify and modernize around network and security platforms with a goal of a holistic, zero-trust architecture with a consistent user experience and fewer policy configuration points.

UP NEXT: Read how the military uses MFA in the field.

For example, one of the top concerns today for CISOs and mission owners is users inadvertently exposing sensitive data by using any of the readily available public generative AI models. In the past, we would see a new threat, and we would develop a new solution to address the threat, so we would add one more thing to the security arsenal. But in this case, we need our security platforms to incorporate detection and control access to both public and private models. We also must place guardrails around the use of approved models. We don't want to rely solely on the security of the model itself. Our platforms must incorporate these capabilities instead of buying new solutions to address the problem. This approach will allow government to quickly incorporate the highly controlled government deployed models but also commercial off-the-shelf GenAI solutions where appropriate.

We’re also seeing the emergence of hybrid mesh firewalls, moving from managing dozens of appliances to hundreds or thousands of security enforcement points at the port or kernel level. With centralized policy and distributed enforcement, we improve performance and reduce complexity.

Last, observability and security monitoring should converge. Different groups will use different tools to monitor their piece of the IT puzzle. In reality, the same telemetry that we use to identity malicious traffic can also be used to manage user experience, system uptime and compliance. Using a single platform for all of these use cases improves visibility, breaks down silos and makes AI tools more effective across the board. With tight budgets and limited workforce, these improvements help agencies do more with less and raise their overall security maturity.