Agencies Advance on Biden's 2021 Zero Trust Order
One year in, a new survey-based report indicates civilian and federal agencies are making progress on President Joe Biden's 2021 executive order to improve the nation's cybersecurity.
Zero Trust eschews the standard security approach of walling off IT systems behind a secure network perimeter. It has grown in popularity with the advent of hybrid work models, the proliferation of endpoints and bring-your-own devices, disparate and interconnected systems spanning clouds and enterprise datacenters, and just general complexity all around. Instead of trying to secure perimeters, Zero Trust assumes that such fortress security approaches will fail or have already been penetrated, seeking to lessen the damage that can be caused.
Issued May 12, 2021, Biden's executive order stipulates that by the end of fiscal year 2024:
The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
That order to advance toward Zero Trust is well underway, indicates a new "State of Zero Trust" report from General Dynamics Information Technology (GDIT) titled "Agency Guide to Zero Trust Maturity."
"But agencies also face several challenges and know there is still more work to do," said GDIT about the survey, which polled 300 federal officials from civilian and defense agencies. Those challenges are depicted here:
That last item, lack of IT staff expertise, is a continuing problem in just about all cloud computing surveys, though it usually ranks even higher than No. 3 (see last week's article, "How to Address Crippling Cloud Skills Shortage?").
Regarding the No. 1 challenge about rebuilding or replacing legacy equipment, GDIT's cyber solutions director, Defense, said: "When some agencies still have data on mainframes or legacy systems, it's a big challenge. Agencies know they can't bolt on Zero Trust, so they must decide to rebuild or replace systems. That requires additional spending on top of investing in Zero Trust. Agencies have to make some hard decisions."
Respondents said overcoming those challenges listed above will: ensure the right users have the right access to the right resources at the right time; reduce risk of a data breach; and reduce the cyberattack surface:
Other data highlights of the study as presented by GDIC include:
- 63 percent of respondents said their agencies will meet these requirements on time or early.
- 92 percent are confident in their agency's ability to defend against cyber threats.
- 76 percent have a formal Zero Trust strategy in place, with 52 percent actively implementing one.
"This Zero Trust report shows that federal agencies are making great progress to strengthen their cybersecurity defenses," said Dr. Mathew McFadden, GDIT's vice president, cyber. "Zero Trust principles need to be implemented throughout the organization and must be embraced by business and IT stakeholders to establish a successful strategy that drives cyber resiliency and supports the organization's mission."
Biden's 2021 executive order is but one of many such initiatives the White House has instigated or supported (see last week's article "Biden Signs Metrics Bill to Combat Cybercrime into Law").
David Ramel is an editor and writer for Converge360.