Federal execs see long journey to achieve zero trust

Less than two years remain for government agencies to meet major milestones of the Office of Management and Budget’s zero-trust security mandates. A new survey of federal IT and program leaders, however, suggests that while agency executives are focused on zero-trust practices, more than half (55%) of those polled acknowledge their agencies are still “assessing” their zero-trust gaps or have only a “baseline” of capabilities in place.

And while 35% of respondents say their agencies have intermediate or advanced zero-trust capabilities in place — based on definitions outlined in a widely-referenced maturity model issued by the Defense Department — agencies appear broadly under-equipped and under-financed to meet the administration’s mandates, according to the findings.

The survey, completed by 191 prequalified federal CIOs, IT and security managers, and program officials in September and October, found that roughly two in three executives at small and mid-sized agencies — and a little over half at large agencies, based on employee counts — believe their agency “will receive incremental funding for zero-trust work in their fiscal year 2024 budget.”

However, six in 10 respondents also said they were moderately or highly concerned that “other high-priority IT projects will suffer in FY2024 due to the need to reallocate resources to meet OMB’s and/or DOD’s zero-trust objectives.

The findings reflect the views of a broad base of federal IT leaders, with 63% from civilian agencies and 37% from defense agencies. One-third (32%) worked at agencies with less than 5,000 employees; 28% at agencies with 5,000 to 10,000 employees; and 39% at agencies with more than 10,000 employees.

Among the survey’s key findings:

Zero trust clearly has agencies’ attention. Four in 10 of executives (39%) say they are “fully familiar” — and another 47% are “generally familiar” — with the core objectives outlined in OMB’s M 22-09 memo or DOD’s latest zero-trust reference documents. Well over half say their agency has created a budget line for zero-trust work. And more than six in 10 say their department or agency has designated an individual to lead zero trust implementation.

Visibility and skills gaps remain. Roughly half of the executives at small and large agencies — and about six in 10 at midsize agencies — say their agency’s senior executives have “full visibility of the gaps that must be closed to achieve zero-trust mandates. However, based on FedScoop discussions with federal CISOs, agency executives may be over-optimistic about what is required to actually implement zero-trust practices. The survey, for instance, found that typically a quarter of respondents were “not very” or “not at all” confident that their agency had the requisite skills to assess the security requirements associated with seven key pillars associated with zero trust. Those pillars include minimum security requirements to achieve enterprise-wide control over user identity, devices, network environments, applications, data, visibility/analytics and automation orchestration.

The value of assessments.  At the same time, nine in 10 respondents acknowledged that a “comprehensive zero-trust assessment to identify gaps and key focus areas” would be highly or moderately valuable. And eight in 10 indicated that such an assessment and subsequent services from a third-party vendor or organization, similarly, would be highly or moderately valuable.

Priorities vary, but concurrent upgrades will be needed. Overall, when it comes to investment priorities, user identity and upgrades to network environments are getting the greatest attention, the study found. But resource priorities vary, depending on the size of agencies, the study found. A more detailed breakout of those priorities is available in the full report, “Achieving the Security Promise of Zero Trust,” produced by FedScoop and underwritten by Iron Bow.

One capability essential to achieving zero trust that remains underappreciated, according to the CISO at one large federal agency, is the need to dramatically scale up infrastructure and applications to collect, store and analyze log files. He estimated zero trust will ultimately result in a 40-fold increase in log files, plus the staff, to manage it all.

The study also suggests that agencies are still underestimating the work involved in educating agency managers and employees about zero-trust practices and the steps required to achieve them.  The findings also reflect a probable disconnect between what senior executives believe to be true and what the “boots on the ground” are saying is true.

“Zero trust is not just a journey for security folks,” one CISO told FedScoop. “It’s a journey for the entire agency.”

Download the FedScoop report, “Achieving the Security Promise of Zero Trust,” for detailed findings on meeting federally mandated zero-trust goals.

This article was produced by Scoop News Group for FedScoop and sponsored by Iron Bow.