Major agencies are close to meeting September zero trust deadline, federal CIO says
The deadline is linked to a sweeping 2021 cybersecurity executive order.
A tranche of major federal agencies have nearly met a Sept. 30 deadline requiring them to build out and adopt a degree of zero trust architecture on their networks, federal CIO Clare Martorana said Wednesday.
The zero trust cybersecurity model is a methodology where users on a network are never inherently trusted and must be regularly verified to be allowed access into sensitive systems and webpages.
The 24 CFO Act agencies — federal regulators affected by a 1990 law that gave the White House new authorities to oversee the government’s financial management — are “all in the high 90% range” and, more broadly, federal entities “moved from 81% to 87% completion rate for agencies on that journey,” said Martorana, who did not specify an exact timeline to when the jump to 87% was made.
There is no one single zero trust solution available for agencies to procure. But several private firms specializing in specific zero trust pillars have been working for years to secure contracts with agencies since a major cybersecurity executive order was signed by President Joe Biden in 2021.
The Cybersecurity and Infrastructure Security Agency in May provided agencies guidance to meet website encryption requirements and move closer toward their zero trust goals.
Zero trust isn’t a one size fits all approach because nation-state adversaries and cybercriminals can still innovate and find workarounds that allow them to breach architected systems.
“It is a continued journey that the government is going to undergo for many years,” Martorana said.
The May 2021 executive order directed all federal agencies to develop a plan for implementing zero trust strategies. The Office of Management and Budget later issued a memo in January 2022 that, in part, required agencies to undertake a series of steps by the end of fiscal 2024 “to form a starting point to implementing zero trust architecture.”
Federal cyberdefenses became a top issue for the Biden administration after the Colonial Pipeline and SolarWinds Orion incidents that occurred in the past couple years. Other headline-making hacks have followed, including last summer when Chinese operatives accessed the email inboxes of U.S. officials, which later became the subject of a major DHS oversight report.