Federal agencies modernizing digital services must rethink how security, identity, and networking systems work together as threats become more sophisticated, a senior National Institute of Standards and Technology (NIST) official said Thursday.
Ryan Galluzzo, digital identity program lead in NIST’s Applied Cybersecurity Division, said during a GovExec webinar that agencies face growing pressure to move away from siloed security models toward integrated approaches that offer real-time visibility across systems.
“One of the key aspects of deploying a more secure, more zero trust aligned architecture is having that unified view,” Galluzzo said, adding that having visibility into possible threats across all the different components that operate within your network allows agencies to “make decisions that are better informed and ideally closer to real time.”
Galluzzo said achieving that visibility requires deep integration across teams that have historically operated independently, including identity management, logging and analysis, and network security.
“There’s a lot of different components that need to play into this, and each one of them needs to be able to provide their little piece of the puzzle and coordinate [and] collaborate,” he said. “That provides a bigger [and] better picture for organizations, to be able to make real-time and informed decisions.”
Galluzzo explained that the urgency for zero trust adoption is driven by an evolving threat environment in which attackers are becoming more patient and sophisticated.
“The more siloing you have, the more separation you have, the more gaps you have,” Galluzzo said. “The more likely it is that they’re going to find a way to wrinkle in and do damage that you can’t detect very easily.”
Galluzzo also discussed the role of identity and access management in supporting a hybrid workforce, pointing to NIST’s digital identity guidelines as foundational to zero trust architecture. He said emerging technologies can improve both security and usability, particularly through secure elements embedded in devices.
Addressing legacy systems, Galluzzo said zero trust implementation is ultimately an exercise in prioritization. Agencies must understand what systems they have, which ones are most critical, and which can realistically support modern security controls.
“You can’t simply say, we’re just going to make everything zero trust,” he said. “It’s not a realistic goal.”
According to Galluzzo, agencies should develop roadmaps that balance risk, modernization, and system retirement, while building zero trust principles into all new systems from the start.
When measuring success, Galluzzo said agencies should focus less on static compliance metrics and more on continuous improvement.
“There’s not one single, ‘I’m safe now’ metric,” he said. “The real focus here is that continuous improvement and the continuous growth of capabilities over time.”