Prioritizing zero-trust approach for migration fosters limiting the harmful impact of cyberattacks in the US.
The Biden administration mandated that federal agencies adopt zero-trust network architectures in early 2022, following the requirements set forth in the Office of Management and Budget (OMB) Memorandum M-22-09 and Executive Order 14028. Although the initial timelines for full migration have lapsed, agencies continue to work diligently on implementing zero-trust principles.
Adopting Zero-Trust Networks
Federal agencies have been developing and implementing zero-trust strategies since 2022. The Cybersecurity and Infrastructure Security Agency (CISA) has updated frameworks like the Zero Trust Maturity Model (ZTMM) to guide agencies in incremental implementation with increasing rigor.
Timeline and Current Status
The original deadline for full migration has passed, but the foundational expectations and roadmaps remain in place. Agencies are emphasizing zero trust as a continuous strategic approach essential for operating securely in the face of evolving threats, including those posed by AI technologies.
In mid-2025, the Department of Defense (DoD) issued Directive-Type Memorandum 25-003 to incorporate zero-trust principles into its enterprise services, planning, training, and governance, indicating ongoing expansion and formalization of ZT adoption within major federal components.
Future Plans
The future plans involve continuing architectural work, demonstrating zero trust as a holistic security approach, enhancing network segmentation and microsegmentation techniques, and expanding zero-trust principles into various sectors within the DoD. Ongoing updates to federal cybersecurity guidance and training will embed zero trust in agency operations and defenses.
The Importance of Zero Trust
Zero-trust networking emphasizes limiting damage by hackers through hurdles, network sealing, and strict user authentication. The aim is to make it as difficult as possible for attackers to move laterally within a network and limit the blast radius of an attack. Duffy, the acting federal chief information security officer, stated that the time to respond is increasingly narrow, making it crucial to ensure the blast radius is as narrow as possible.
Communication and Challenges
Successfully transitioning a network to zero-trust architecture requires broad communication of the value of the changes, which can be disruptive to network users. Robert Costello, the chief information officer of the Cybersecurity Division at the CISA, participated in a panel discussion and emphasized the need to explain zero trust to the entire community. CISA's own transition to zero-trust networking has highlighted some of the challenges involved in modifying an enterprise's network.
Not everyone may be enthusiastic about cybersecurity or IT, according to Costello. However, the next big push from the government will be about demonstrating that zero trust is a way of thinking, architecting, and operating, not just a set of technologies.
[1] OMB Memorandum M-22-09 [2] Executive Order 14028 [3] DoD Directive-Type Memorandum 25-003 [4] CISA's Zero Trust Maturity Model [5] NIST's Zero Trust Architecture
- The adoption of zero-trust network architectures in federal agencies is not just about implementing new technologies, but also about fostering a mindset that prioritizes privacy and identity management within cybersecurity.
- As the Cybersecurity and Infrastructure Security Agency (CISA) continues to update models like the Zero Trust Maturity Model (ZTMM) and guide federal agencies in implementing zero-trust principles, it's crucial to communicate the benefits of this approach effectively to ensure minimal disruption to network users.
- In the face of evolving threats and expanding technology, such as AI, zero trust is being emphasized as a continuous strategic approach that promotes a holistic approach to cybersecurity and privacy management.
