Federal agencies have been racing against the clock to implement a zero trust security architecture, with a critical checkpoint having passed at the end of September. While the Department of Defense has a longer-term target of achieving “full” zero trust by the end of fiscal year 2027, the September deadline marked a crucial progress checkpoint. This deadline, established by the Office of Management and Budget in its 2022 Zero Trust Strategy, represented a significant push for agencies to demonstrate their commitment and progress toward this paradigm shift in cybersecurity.
In the work my team and I do with federal agencies to help them meet and surpass this deadline, we’ve found they struggle in a few areas.
Organizational alignment
Effective zero trust implementation hinges on a high degree of collaboration across an organization. Teams accustomed to operating in silos often struggle to synchronize their efforts for a zero trust initiative. Agencies that spend time making sure their teams are aligned — and stay aligned — are more poised for success.
Creating cross-functional teams that encompass representatives from IT, security and other relevant departments is essential. These teams should be empowered to break down departmental barriers and work toward a shared goal. By establishing clear communication channels and defining shared objectives, organizations can ensure everyone is aligned with the zero trust vision.
Moreover, defining roles and responsibilities within the context of zero trust is crucial. Each department should understand its specific contributions to the overall initiative. This clarity prevents duplication of efforts, enhances efficiency and promotes accountability.
Implementing a comprehensive change management strategy is equally important. Zero trust represents a significant shift in security paradigms, and employees at all levels need to understand the reasons behind the change. Effective communication, training and support can help alleviate concerns and create a culture of security awareness. By involving employees in the process and emphasizing the benefits of zero trust, federal agencies can build momentum and ensure a smooth transition.
Tool set evaluation
Those agencies that are further along in the process are doing a thorough evaluation of existing security tools. Understanding the capabilities and limitations of current security infrastructure is essential for bridging gaps and optimizing resources. A comprehensive assessment serves as a critical foundation for building a robust zero trust architecture.
To initiate this process, organizations are creating a detailed inventory of their security tools, encompassing hardware, software and cloud-based solutions. This inventory provides a clear overview of the organization’s security landscape, including the functions, capabilities and interoperability of each tool. Once a comprehensive inventory is established, a gap analysis is conducted to identify areas where security coverage is lacking. This assessment focuses on potential vulnerabilities, overlaps in functionality and areas where additional tools or enhancements may be necessary.
By understanding the strengths and weaknesses of the existing tool set, organizations can make informed decisions about tool optimization and integration. This may involve upgrading existing tools, configuring them for zero trust principles or integrating them with new technologies. The goal is to maximize the value of existing investments while ensuring the security architecture aligns with zero trust requirements.
Maturity assessment
Agencies that understand their current tool set and changes required are at a point where a maturity assessment is valuable. A clear understanding of an organization’s current zero trust posture is essential for developing a strategic roadmap. By evaluating existing capabilities, identifying gaps and establishing a baseline, organizations can prioritize initiatives and measure progress over time.
A maturity assessment typically involves evaluating various aspects of the zero trust framework, including identity and access management, device security, network segmentation, application and workload protection, and data security. By assessing the organization’s proficiency in each of these areas, it becomes possible to identify strengths, weaknesses and opportunities for improvement.
Once the assessment is complete, organizations can develop a prioritized roadmap outlining the steps necessary to advance their zero trust maturity. This roadmap should be aligned with overall business objectives and security goals. By setting clear milestones and metrics, organizations can track progress and adjust their strategies as needed.
Leveraging the expertise of external partners can significantly accelerate zero trust adoption and mitigate implementation challenges. Agencies can benefit from the knowledge and experience of partners who have successfully implemented zero trust solutions. By collaborating with these experts, agencies can access specialized skills, resources and best practices without having to go through the growing pains of doing something for the first time.
Carefully selecting a zero trust partner is crucial. Organizations should evaluate potential partners based on track record, industry expertise and alignment with the agency’s specific needs. Establishing clear expectations and defining roles and responsibilities is essential for a successful partnership. By outlining the scope of the partnership, defining key performance indicators and establishing communication channels, organizations can ensure the collaboration delivers the desired outcomes.
While partnerships offer numerous advantages, agencies must consider potential risks as well. Effective risk management strategies should be in place to protect sensitive information and maintain control over the zero trust implementation. By carefully selecting partners and implementing appropriate safeguards, agencies can mitigate risks and maximize the benefits of collaboration.
The journey to zero trust
The journey to zero trust is complex, requiring a strategic and collaborative approach. By prioritizing organizational alignment, conducting thorough tool set evaluations and undertaking maturity assessments, agencies can establish a solid foundation for their zero trust initiatives. Strategic partnerships with experienced providers can further accelerate progress and enhance the overall security posture.
While the September 2024 deadline served as an important milestone, the journey to full zero trust is ongoing. As agencies continue to work toward the longer-term goals, they must remain vigilant and adaptive. By embracing these key principles and continuously adapting to evolving threats, agencies can build a resilient and secure infrastructure capable of protecting sensitive information and mission-critical assets.
Mark Modisette is senior director of zero trust strategy at Optiv + ClearShark.
A zero trust maturity check-in: Where does your agency stand?
While the September 2024 deadline served as an important milestone, the journey to full zero trust is ongoing.
Federal agencies have been racing against the clock to implement a zero trust security architecture, with a critical checkpoint having passed at the end of September. While the Department of Defense has a longer-term target of achieving “full” zero trust by the end of fiscal year 2027, the September deadline marked a crucial progress checkpoint. This deadline, established by the Office of Management and Budget in its 2022 Zero Trust Strategy, represented a significant push for agencies to demonstrate their commitment and progress toward this paradigm shift in cybersecurity.
In the work my team and I do with federal agencies to help them meet and surpass this deadline, we’ve found they struggle in a few areas.
Organizational alignment
Effective zero trust implementation hinges on a high degree of collaboration across an organization. Teams accustomed to operating in silos often struggle to synchronize their efforts for a zero trust initiative. Agencies that spend time making sure their teams are aligned — and stay aligned — are more poised for success.
Creating cross-functional teams that encompass representatives from IT, security and other relevant departments is essential. These teams should be empowered to break down departmental barriers and work toward a shared goal. By establishing clear communication channels and defining shared objectives, organizations can ensure everyone is aligned with the zero trust vision.
Join us Jan. 27 for our Industry Exchange Cyber 2025 event where industry leaders will share the latest cybersecurity strategies and technologies.
Moreover, defining roles and responsibilities within the context of zero trust is crucial. Each department should understand its specific contributions to the overall initiative. This clarity prevents duplication of efforts, enhances efficiency and promotes accountability.
Implementing a comprehensive change management strategy is equally important. Zero trust represents a significant shift in security paradigms, and employees at all levels need to understand the reasons behind the change. Effective communication, training and support can help alleviate concerns and create a culture of security awareness. By involving employees in the process and emphasizing the benefits of zero trust, federal agencies can build momentum and ensure a smooth transition.
Tool set evaluation
Those agencies that are further along in the process are doing a thorough evaluation of existing security tools. Understanding the capabilities and limitations of current security infrastructure is essential for bridging gaps and optimizing resources. A comprehensive assessment serves as a critical foundation for building a robust zero trust architecture.
To initiate this process, organizations are creating a detailed inventory of their security tools, encompassing hardware, software and cloud-based solutions. This inventory provides a clear overview of the organization’s security landscape, including the functions, capabilities and interoperability of each tool. Once a comprehensive inventory is established, a gap analysis is conducted to identify areas where security coverage is lacking. This assessment focuses on potential vulnerabilities, overlaps in functionality and areas where additional tools or enhancements may be necessary.
By understanding the strengths and weaknesses of the existing tool set, organizations can make informed decisions about tool optimization and integration. This may involve upgrading existing tools, configuring them for zero trust principles or integrating them with new technologies. The goal is to maximize the value of existing investments while ensuring the security architecture aligns with zero trust requirements.
Maturity assessment
Agencies that understand their current tool set and changes required are at a point where a maturity assessment is valuable. A clear understanding of an organization’s current zero trust posture is essential for developing a strategic roadmap. By evaluating existing capabilities, identifying gaps and establishing a baseline, organizations can prioritize initiatives and measure progress over time.
A maturity assessment typically involves evaluating various aspects of the zero trust framework, including identity and access management, device security, network segmentation, application and workload protection, and data security. By assessing the organization’s proficiency in each of these areas, it becomes possible to identify strengths, weaknesses and opportunities for improvement.
Once the assessment is complete, organizations can develop a prioritized roadmap outlining the steps necessary to advance their zero trust maturity. This roadmap should be aligned with overall business objectives and security goals. By setting clear milestones and metrics, organizations can track progress and adjust their strategies as needed.
Read more: Commentary
Strategic partnerships
Leveraging the expertise of external partners can significantly accelerate zero trust adoption and mitigate implementation challenges. Agencies can benefit from the knowledge and experience of partners who have successfully implemented zero trust solutions. By collaborating with these experts, agencies can access specialized skills, resources and best practices without having to go through the growing pains of doing something for the first time.
Carefully selecting a zero trust partner is crucial. Organizations should evaluate potential partners based on track record, industry expertise and alignment with the agency’s specific needs. Establishing clear expectations and defining roles and responsibilities is essential for a successful partnership. By outlining the scope of the partnership, defining key performance indicators and establishing communication channels, organizations can ensure the collaboration delivers the desired outcomes.
While partnerships offer numerous advantages, agencies must consider potential risks as well. Effective risk management strategies should be in place to protect sensitive information and maintain control over the zero trust implementation. By carefully selecting partners and implementing appropriate safeguards, agencies can mitigate risks and maximize the benefits of collaboration.
The journey to zero trust
The journey to zero trust is complex, requiring a strategic and collaborative approach. By prioritizing organizational alignment, conducting thorough tool set evaluations and undertaking maturity assessments, agencies can establish a solid foundation for their zero trust initiatives. Strategic partnerships with experienced providers can further accelerate progress and enhance the overall security posture.
While the September 2024 deadline served as an important milestone, the journey to full zero trust is ongoing. As agencies continue to work toward the longer-term goals, they must remain vigilant and adaptive. By embracing these key principles and continuously adapting to evolving threats, agencies can build a resilient and secure infrastructure capable of protecting sensitive information and mission-critical assets.
Mark Modisette is senior director of zero trust strategy at Optiv + ClearShark.
Sign up for our daily newsletter so you never miss a beat on all things federal
Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
Prepare for the return-to-office era. It’s an age thing
Confronting the growing drone threat
The US government must keep pace with serving an AI-empowered citizenry