The federal government’s ambitious plans to implement zero-trust security across federal agencies, while well-intentioned, will require substantially more funding and foundational technical work than officials may have anticipated, according to agency IT executives in a new FedScoop survey.
As a result, the goal of establishing zero trust operating environments — and the ability to continuously verify users, devices, and applications accessing federal IT systems — could take much longer than federal officials envision.
Efforts to implement zero-trust security took on new urgency when increasingly sophisticated malicious cyber campaigns prompted the White House to issue an Executive Order on Improving the Nation’s Cybersecurity in May of 2021. The EO, and subsequent directives from the Office of Management and Budget, tasked federal agencies with implementing a series of strategic security initiatives by the end of the fiscal year 2024.
According to 177 pre-qualified federal agency IT decision-makers surveyed in May, a lack of dedicated funding, the complexity of federal IT systems, and the need to deploy solutions capable of working across siloed business units suggest that agencies will be hard-pressed to meet the administration’s timelines,
Among the survey’s key findings:
Funding squeeze – One in 4 IT decision-makers working at civilian agencies — and 1 in 5 at defense/intelligence agencies — predicted that implementing zero trust will consume as much as 10% or more of their annual IT budgets in FY 2023 and 2024. For some agencies, that means redeploying hundreds of millions of IT dollars. Moreover, roughly two-thirds of respondents believe that at least 4% or more of their agency’s IT budgets will need to be redirected from other initiatives to meet OMB’s zero-trust mandates, likely resulting in various IT modernization and maintenance efforts to be put on hold.
Still in the starting blocks – Another significant factor constraining progress is the extent to which agencies are still actively modernizing the foundational systems required to support zero trust capabilities. A majority of respondents reported that their agency security tools were on par with standard federal security practices; however, roughly one-third revealed that their agencies remain in the early stages of supporting the five pillars of zero trust outlined by OMB around users, devices, networks, applications, and data.
Cloud’s role – The ability to deploy, automate and orchestrate the five pillars of zero trust will depend heavily on agencies’ experience using the cloud. However, 24% of respondents at civilian agencies and 34% at defense/intelligence agencies reported that only one-third or less of their agency’s mission and operations applications currently operate in the cloud. “Zero trust requires dynamic policy enforcement at scale. Suppose two-thirds of agency IT operations is still on-prem. In that case, the realities are, it will be very, very costly to enable zero trust,” said one federal agency CISO who reviewed the study’s preliminary results but wished to remain unnamed.
Key challenges ahead – Among the top technical challenges IT leaders said they still face in adopting zero trust, 4 in 10 respondents cited the interdependency and complexity of existing technology. Conflicting IT priorities and managing the growth of data pose additional challenges. Another third expressed challenges with advancing security in one security pillar with breaking things in another, and those challenges varied by agency size, as did recommendations for what measures would help agencies most in achieving the White House’s zero-trust goals.
Confidence in meeting deadlines varied – Just under half of civilian and defense/intelligence agency respondents voiced confidence that their agency would achieve OMB’s zero-trust security goals closer to the end of FY 2024. However, another 46% in both groups reported being skeptical or not confident about meeting OMB’s deadline. And roughly 1 in 4 respondents said they didn’t expect to have the underlying tools in place to manage, analyze, automate and orchestrate security controls across all five zero trust pillars before the end of the fiscal year 2025 or beyond.
The new FedScoop study, “The Quest for Zero Trust,” conducted by Scoop News Group and underwritten by Forcepoint, provides a snapshot of how agency executives believe security experts describe the maturity of various components within the agency supporting the five pillars of zero-trust security. For instance:
- About 1 in 3 respondents said their agencies are still in the planning stages — or laying the foundations for — multi-factor authentication and centralized identity management capabilities.
- Another third said their agencies were at similar stages for deploying endpoint detection and response systems — which struck the CISO who reviewed the study as alarming given the importance of EDR as an essential security tool.
- Roughly 4 in 10 respondents at both civilian and defense/intelligent agencies are still in early stages of deploying network micro-segmentation — and replacing VPNs with zero trust network access.
- While 6 in 10 respondents said their agencies have centralized access authorization capabilities for applications — and two-thirds had single sign-on — at least 3 in 10 are still getting started with dedicated app security testing and continuous authorization to operate tools.
- While a majority of respondents indicated having data encryption and data loss prevention tools on par with their peers, more than 1 in 3 said their agencies are still getting started with data tagging and tracking, data inventory and governance, and automated data flow mapping capabilities.
After reviewing the results, the federal CISO noted that despite half to two-thirds of respondents reporting various zero-trust security capabilities as being on par with, or superior to, their peers, in all likelihood, most of those capabilities were only partially deployed or operational. Consequently, agency leaders may be overoptimistic and have a steeper road ahead with implementing zero-trust security than many may fully recognize.
An additional challenge agencies face has been the extended amount of time it takes to get existing security products, such as EDR and asset management tools, to operate properly at the scale many larger agencies require, according to a federal IT director who reviewed the results, but wished to remain unnamed.
“This transformation to better situational awareness and telemetry is not easy when you look at what is deployed today,” commented Doctor Nicholas Lessen, a solutions architect specializing in User, Entity and Behavior Analytics at Forcepoint’s Global Governments division. “Many agencies have started down the road of zero trust with a focus on identity security; however, further integrations and automated, dynamic responses will be necessary to deliver a comprehensive view of the relationship of who and what is on the network, associated actions, and the risks to organizations.”
Download the full report, “The Quest for Zero Trust” for detailed findings.
This article was produced by Scoop News Group for FedScoop and sponsored by Forcepoint.