How ready are federal agencies for zero trust implementation?

More than 70 percent of federal agencies are aggressively adopting zero trust principles, while another 26 percent are adopting where they feel it makes sense, according to a Merlin Cyber and MeriTalk report.

The report is based on a survey of more than 150 federal cybersecurity decision makers and explores the priorities, goals and anticipated challenges around the federal government’s zero trust implementations.

Recent high-profile cybersecurity incidents have fueled the urgency to secure federal networks and systems against adversaries. The 2021 Executive Order on Improving the Nation’s Cybersecurity, Office of Management and Budget’s (OMB) Federal Strategy for a Zero Trust Architecture, and the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model have outlined the application of zero trust principles for agencies.

The report analyzes decision makers’ concerns around the feasibility of the federal government’s zero trust goals. In particular, while 92 percent say these recent federal initiatives have increased their confidence in the implementation of zero trust, 87 percent feel that the Executive Order and OMB Zero Trust Architecture pushes agencies to move too fast for effective implementation.

Zero trust adoption challenges for federal agencies

• Centralizing previously siloed cybersecurity tools/deployments
• Integrating new solutions with legacy systems that rely on implicit trust
• Staffing/training; and
• Selecting the right vendor

Further, the report also looks into the importance and prioritization of the five pillars as outlined in OMB’s Federal Zero Trust Strategy.

• DoD priorities: Identity (75%), Data (63%), Applications (63%), Networks (57%), Devices (45%)
• Civilian priorities: Data (68%), Identity (67%), Networks (49%), Applications (44%), Devices (44%)

“As agencies take steps to comply with the Executive Order, OMB Zero Trust Architecture and CISA Zero Trust Maturity Model, it is critical that the private sector understands the areas of confidence and concern among federal cybersecurity decision makers,” said Miguel Sian, Senior VP of Technology at Merlin Cyber. “Public-private collaboration will be essential as agencies move from zero trust confidence to competence over the next three years.”

Zero trust goals identified

• DoD: Supporting intelligent automation of security actions (49%), moving reliance to encryption and application testing instead of perimeter security (42%), and enabling safe and robust use of cloud services (38%)
• Civilian: Enabling safe and robust use of cloud services (52%), bolstering strong identity practices across Federal agencies (39%), and recognizing every device and resource the government has (37%)