Over the past two years, federal agencies have worked diligently to reshape and harden their cybersecurity postures alongside evolving zero trust mandates and strategic guidance. Following the Biden Administration’s 2021 Executive Order on Improving the Nation’s Cybersecurity in January 2022, the Office of Management and Budget released their own Federal zero trust Strategy. Shortly after, the Department of Defense followed suit with the DoD zero trust Strategy.
As we continue to see initiatives like these roll out, the importance and prioritization of zero trust across the federal government becomes even more apparent. And promisingly, as the threat landscape widens and adversaries abound, agencies are making progress on their zero trust commitments.
The Securities and Exchange Commission, for example, is taking steps to implement segmentation (a core technical enabler) by using the principles of zero trust – least privilege and assume breach – to lay the foundation for a more secure digital future. While these are strong steps in the right direction, the work is far from complete.
As the September 2024 deadline to implement a zero trust architecture (per the OMB’s zero trust strategy) quickly approaches, agencies continue to be stretched thin. Faced with limited resources and challenged to do more with less, agencies must ensure that they’re leveraging existing capabilities and maximizing investments to continue to make strides towards fortified resilience.
The current threat landscape can best be summed up as devastating and complex – due to its evolving nature, where cyber threats morph and arise at an unprecedented pace. In fact, according to Security Magazine, over 2,200 cyberattacks take place every day (around 1 every 39 seconds). Today’s threat landscape demands a strategy that is not only robust, but adaptable and ready to respond to new and emerging threats with precision.
This is where zero trust has become a de facto cybersecurity best practice. By encouraging federal agencies to proactively shore up critical defenses and account for inevitable breaches from the start, with zero trust, agencies of all shapes and sizes are better enabled to maintain operations and secure sensitive data even in the face of ongoing attacks.
But with the rise of today’s dynamic threats, the allocation of already limited resources makes for an even more precarious balancing act – where competing priorities and budget constraints make it more difficult for agencies to secure critical assets against a widening threat landscape.
In fact, an overarching challenge in strengthening federal security lies in balancing security goals with other priorities. Federal agencies, while striving to fortify their cybersecurity posture, must also contend with the reality of juggling other organizational needs (productivity, operational enhancements, staffing, other Congressional mandates, etc.). But rather than sacrificing security entirely in the face of other pressing initiatives (which federal agencies simply can’t afford to do in 2024), they should focus on taking small but concrete steps towards resilience.
Small steps, significant progress
When it comes to reaching critical objectives and accelerating zero trust plans specifically in 2024, it’s important for agencies to consider where they can best maximize investments to get the most ROI out of limited cyber resources.
There will never be a “one-size-fits-all” solution for zero trust, and agencies looking to make progress on their zero trust goals must tailor strategies and implementation plans to their unique stage of the cybersecurity journey. But by examining organizational objectives, identifying pain points, and prioritizing security around their most critical data sets, workloads and operations first, agencies will be better enabled to achieve quick but lasting wins on the road to zero trust.
The key lies in understanding that cybersecurity, and zero trust, is not a one-time initiative or technology but an ongoing process. Agencies that prioritize continuous improvement with small but impactful projects recognize the dynamic nature of cyber threats and are better equipped to adapt to the evolving landscape.
For example, segmenting critical assets is a tactical move that is proven to result in immediate improvements in agencies’ overall security posture. In fact, segmentation is proven to reduce the blast radius of cyberattacks within an organization by 66 percent, saving organizations $3.8 million annually by limiting unplanned downtime. This approach not only slows the lateral spread of cyber threats, which remain the biggest risk as agencies continue to move to cloud and hybrid environments at scale, but also lowers potential costs incurred by downtime and lost productivity.
Federal agencies face a critical challenge as the zero trust Strategy deadline approaches – fortifying cybersecurity with limited resources and ambitious goals in mind. Tailored solutions, embracing a risk-based approach, and focusing on quick wins are the keys to success amidst these challenges. In this lens, prioritizing incremental progress and recognizing the continuous nature of cybersecurity is vital – and continuing to make progress on cyber resilience objectives, even once the zero trust strategy deadline passes, will continue to be integral to securing agency operations and protecting our democracy.
Gary Barlet is federal chief technology officer at Illumio, and former chief information officer at the Office of Inspector General for the United States Postal Service.