Federal agencies are on the march to adopt zero trust cybersecurity architectures by the end of fiscal 2024.

The White House’s federal zero trust strategy, released in early 2022, set a deadline of Sept. 30, 2024, for each agency to adopt a zero trust security architecture. While the deadline is somewhat nebulous, the idea is for agencies to move away from perimeter security architectures toward “never trust, always verify.”

Over the last two years, Eric Trexler, senior vice president for U.S. public sector at Palo Alto Networks, said he has seen a “modernization of zero trust” within the  public sector.

“We’re seeing some maturity and understanding of what customers actually want from an outcome perspective in how they’re thinking about zero trust,” Trexler said in an interview with Federal News Network.

The Office of Management and Budget’s  zero trust strategy directs dozens of actions and deadlines for agencies to meet different aspects of zero trust. Meanwhile, the  Defense Department’s zero trust strategy also includes deadlines and checklists for military departments and agencies.

“What we’re observing is how customers are actually translating that into real world needs,” Trexler said. “We’re just starting to hear customers talk about outcomes. It’s still early on and still a problem. So when we sit down with a customer, oftentimes, they’re talking about how they meet the checklist or that segment of the project that they’re trying to deliver upon. We’ve got to drive for outcomes. We’re not there yet. My belief is  it’s coming.”

Many civilian agencies could end up missing the Sept. 30 deadline to fully adopt a zero trust architecture. But agencies are making important progress, especially on the identity pillar for zero trust, he said.

Federal progress on identity security

“If you don’t know who your users and applications and systems are, you really don’t know how to protect them,” Trexler said.

“They’re getting there. I really think what we’re going to see in the next phase is, ‘How do we holistically protect the organization better?’ ”

One of the challenges agencies often face in adopting zero trust, however, is the federated nature of their organizations.

“It’s really difficult to provide zero trust protection across the business when you’re deploying capabilities in silos,” he said.

AI and automation in aiding government cyber

Under President Joe Biden’s AI executive order, agencies are looking to adopt AI to advance their missions and customer service. But many agencies are proceeding cautiously, as generative AI tools can potentially expose data and prove untrustworthy.

“These are workloads that are actually

taking intellectual property from an agency and putting it into an unsecure cloud,”  Trexler said. “So how are we helping our customers understand, from a visibility and control perspective, how their employees  and their contractors are using AI today in  the organization?”

For cyber defenders, AI and automation

can help them focus on the most critical problems, he said.

“Automation and artificial intelligence allow us to package up what’s happening on

our networks, on our systems, within our workloads, and only elevate the highest order activities to the humans,” Trexler said. “It also frees up our humans, our personnel, to write more playbooks, to automate more, as opposed to just responding to hundreds of thousands of miscellaneous and benign, in many cases, updates and alerts.”

But, like any technology, AI can be used for good or bad actions. “Anything — fire, water, you name it — can be used for good or evil. Same thing with artificial intelligence. We’re seeing the adversaries pick it up and leverage it. We need to do the same thing.”

Learn more insights and tactics from Palo Alto Technology experts in an exclusive Federal News Network Expert Edition: Tackling cyber on multiple fronts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.