The Cybersecurity and Infrastructure Security Agency (CISA) is intensifying its efforts to assess the progress of U.S. federal agencies in adopting zero trust architectures, with a critical deadline approaching in November. Following a directive from the Office of Management and Budget (OMB), agencies were required to submit updated zero trust implementation plans by September 30, which detail how they will transition from perimeter-based defenses to a zero trust model. This shift aims to enhance security by eliminating implicit trust, securing critical assets, and continuously verifying users and devices in real time.
CISA’s zero trust initiative lead, Brandy Sanchez, highlighted that the agency’s approach is collaborative rather than punitive. At a recent zero trust summit in Reston, Virginia, she stated, “The goal is not to put somebody in a box and beat them with a stick,” emphasizing the need for constructive support rather than enforcement. By leveraging over two years of data, CISA intends to identify funding shortfalls and improve technical assistance for agencies struggling with zero trust adoption. This data-driven analysis will help CISA understand how agencies are testing the effectiveness of their zero trust frameworks, including penetration testing and evaluations against known cyberattack techniques.
Federal CIO Clare Martorana reported that agencies are largely on track, with most achieving high percentages towards their zero trust goals. However, she acknowledged that consistent funding poses a significant challenge for agencies as they strive to implement and maintain robust zero trust architectures amid shifting budget priorities. The government recognizes that adopting zero trust is a long-term journey, requiring ongoing commitment and resources to effectively combat evolving cyber threats.
In November, CISA plans to convene with federal agencies to assess funding gaps and explore potential alternatives for support, including shared services and partnerships with private sector entities. Sanchez noted that the primary objective is to implement measures that lead to a measurable reduction in cybersecurity incidents across the federal enterprise. As the government moves towards a more secure digital environment, the success of zero trust implementations will be crucial in strengthening national cybersecurity defenses.
