In January 2022, the Zero Trust Federal Strategy set a deadline of September 30, 2024, for agencies to adopt some level of zero trust architecture. Based on early indications, agencies have largely met zero-trust goals. The Federal CIO reported in early September that the 24 CFO Act agencies were all over 90% of the way to meeting the zero-trust goals. Beyond that group, the federal government as a whole was at 87% goal completion.
What's Changed?
The shift to zero trust is a response to the way government and citizens are using technology. With the increased use of cloud-based solutions, the traditional "castle and moat" security that protected on-premise infrastructure no longer supports the way applications are being deployed. Zero Trust focuses on continually verifying that users have permission to access the data and systems they are using. Gaining access requires coordination among a number of technologies that all work with a common set of user identification and access policies.
To meet the goals of the Zero Trust Federal Strategy, agencies have:
- Inventoried existing security tools to understand what is in use today and if it can be used to adopt a zero-trust approach.
- Implemented multi-factor authentication to add necessary rigor to user identification.
- Categorized data to ensure the right level of access is granted to applications and users.
- Implemented microsegmentation, dividing networks into smaller segments to limit movement across the whole network. With this approach, if one area is compromised, it can be sectioned off from the rest of the network, stopping the spread of threats.
- Added endpoint detection and response (EDR) solutions to monitor and control the devices connecting to their systems.
- Enhanced continuous monitoring and logging with increased use of security information and event management tools.
How'd They Get There?
To build a zero-trust architecture, agencies have to address the five pillars--identity, device, data, application, and network. Some agencies worked on addressing all five at once, while others took a pillar-by-pillar approach. In all cases, progress was steady. A report issued in the spring of 2024 found that agencies had increased their encrypted data by at least 10% and that 92% of federal endpoints are covered by at least one EDR solution.
The Secret Service took the pillar-by-pillar approach, starting with identity. They implemented new identity, credential, and access management processes to provide secure conditional and remote access. The Department of Interior saw the device pillar as the most critical area after concluding that current device access and management was their largest security threat. They implemented a secure access service edge solution to replace their VPN and make it easier to detect and remove unauthorized devices from the networks.
What's Next For Zero Trust
In meeting this first deadline, agencies have made considerable progress in meeting the zero-trust maturity goals for identity and devices. The data pillar is the most challenging, given the vast amount of data held by agencies in legacy systems not built to conform to zero trust. Early zero-trust work has been successful in ensuring that legitimate users get secure access to the data they need, but the next step is to begin measuring how their zero-trust implementations are actively thwarting hacking attempts.
To learn more about government's zero-trust journey, check out these events and resources:
- 5 Zero Trust Confessions: Fireside Chat (December 5, 2024; webcast) - Effective zero-trust strategies utilize a mix of existing technologies and approaches, and it does not happen overnight--it is a journey. This webinar will discuss practical guidance for agencies aiming to navigate their own zero-trust journeys effectively.
- Zero Trust Summit (February 19, 2025; Washington, DC) - Hear firsthand experiences and strategies in laying the foundations for and establishing the major pillars of zero-trust cybersecurity from federal and industry tech and cybersecurity leaders. Learn how agencies are implementing advanced identity and access management platforms, taking new steps to protect their networks and data, and capitalizing on the latest cloud security applications.
- Zero Trust World 2025 (February 19-21, 2025; Orlando, FL) - Cybersecurity professionals from around the world will discuss the lessons learned, provide insights on tackling tough security challenges, and break down the latest security news, regulations, and threats.
- Advancing Zero Trust in US Government Networks (white paper) - U.S. government networks are facing unprecedented cybersecurity challenges as technology advances at breakneck speed. From budget to culture, agencies are facing numerous roadblocks preventing them from advancing zero trust. In a recent roundtable discussion, federal experts explored these challenges while underscoring the ongoing potential of zero trust to fortify cybersecurity now and into the future.
- Achieving Zero-Trust Architecture: Culture Eats Strategy for Breakfast (white paper) - The urgency of adopting recommendations to post cyber experts on boards cannot be overstated. As cyber threats continue to evolve in complexity and sophistication, the need for informed and proactive governance in cybersecurity becomes increasingly critical. This white paper serves as a call to action for both cyber professionals and corporate boards to collaborate toward a secure, resilient, and strategically informed future.
- Advancing Zero Trust Maturity Throughout the Visibility and Analytics Pillar (white paper) - This paper centers on the visibility and analytics aspect of the Zero Trust model, emphasizing the significance of comprehensively observing data characteristics and events within an enterprise-wide environment.
Find additional insights on zero trust in government on GovEvents and GovWhitePapers.
