Federal agencies are engaged in “a tremendous amount of work” to meet requirements to move to zero trust security architecture as laid out in President Biden’s cybersecurity executive order issued last year, even as some agencies are struggling with initial steps to begin that transition, a top Cybersecurity and Infrastructure Security Agency (CISA) official said Wednesday.
Since the executive order came out in May 2021, hundreds of agencies across the government have initiated plans to adopt zero trust principles, said Matt Hartman, CISA’s deputy executive assistant director for cybersecurity.
“There has been a tremendous amount of work across the government” on zero trust over the past year, Hartman said at the FCW Summit on IT Modernization. Citing efforts at agencies such as the departments of Veterans Affairs, Agriculture and Education, he said Federal officials “are really rallying around one another in this space to help make some advancements.”
At the same time, the CISA official acknowledged that the path to zero trust is complicated, and that Federal agencies need to overcome what can sometimes be “a bit of fear and uncertainty and doubt in the community about where to begin, how to begin.”
The administration’s push for zero trust “is a real goal, it is the right goal, but agencies are struggling to begin,” he said. That struggle is rooted in the reality that the effort can require such a comprehensive approach to rebuilding and replacing existing infrastructure.
“There is no cookie cutter approach, no linear place to start zero trust,” said Hartman, a cybersecurity veteran who has been with CISA since its establishment in late 2018, and who has served the Department of Homeland Security in a variety of cybersecurity roles over the past decade.
CISA, he said, is trying “really to demystify zero trust and to help agencies, to guide agencies in implementation.” He added that the change will likely require a high-level commitment to “breaking down cultural barriers … this is going to be truly a cultural shift.”
In previous talks about the transition, Hartman has provided context on the complications along the Federal road to zero trust, saying at a MeriTalk webinar last year that “a reasonable timeline” for “a significant start” on zero trust is three years.
The topic of Hartman’s panel discussion Wednesday at the FCW event was “security as a motivating force for modernization” and whether the move to a multi-cloud environment poses cyber risks.
Security and IT modernization, he said, “really go hand in hand. Security really should be an integral part of every IT modernization effort. Period.”
The increasing move to multi-cloud, fueled by the COVID-19 pandemic, has raised questions about whether the trend increases the risks of cyberattacks. Recent MeriTalk research found that 81 percent of Federal agencies now use more than one cloud platform, but that cyber strategies are not keeping up.
While 83 percent of Federal cyber leaders say their agency is increasing multi-cloud adoption to support telework and mission needs related to COVID-19, the research found, 42 percent say that efforts to adapt cybersecurity strategies accordingly are not moving fast enough for evolving cloud environments.
Over the long run, however, 84 percent of 150 Federal cybersecurity managers surveyed by MeriTalk and GDIT said successful multi-cloud adoption will strengthen their overall cybersecurity posture.