Gartner VP Analyst: 75% of U.S. Federal Agencies Will Fail Zero Trust Security

Why Trust Techopedia
KEY TAKEAWAYS

  • Gartner predicts 75% of U.S. federal agencies will fail to implement zero trust security policies by 2026 due to funding and expertise shortfalls.
  • There's a significant cybersecurity skills shortage, making it hard for federal agencies to find qualified talent.
  • Tight deadlines and delays in federal budget approval are challenging federal agencies.
  • Experts recommend phased approaches focusing on critical assets first is recommended to overcome challenges.

U.S. federal agencies, focusing on resources, finance, and national security, face unprecedented threats as nation-state cyber gangs escalate their attacks, let alone the constantly changing regulation landscape.

While government budget spending on cybersecurity is on the rise, federal agencies face significant roadblocks ranging from legacy systems, slow digital transformations, continual breaches, and bottlenecks in the bureaucratic landscape.

More importantly, federal agencies are struggling with the most basic cybersecurity concept: Zero Trust, according to some of the analysts we spoke to, including Gartner VP Analyst Michael Brown.

We speak to Gartner and other experts to unravel the zero trust gaps in federal architectures, understand the risks and pathway to progress, and move the conversation forward.

U.S. Federal Agencies Exposed to Risks that Could Be Mitigated

On March 28, Gartner predicted that in 2026, federal agencies will have failed in the zero trust policy programs. Gartner attributes this failure to several factors, including a lack of talent and funding.

Zero trust is the basis of a security paradigm that assumes no one can be trusted, everyone must be identified and verified constantly, and every user must have the necessary, precise level of access.

From the starting principle of zero trust, a wide range of people, processes, and technologies are orchestrated to mitigate and deter attacks.

Zero trust also requires a culture shift in mentality, a fundamental base that provides the main core concepts for engineering security, designing compliance, and governance programs.

Working Around Cybersecurity Skills Shortage

Numerous studies revealed that the cybersecurity skill shortage was reaching critical proportions by the end of 2023. The International Information System Security Certification Consortium (ISC2) found that a record-breaking gap of 4 million cybersecurity professionals is impacting all sectors.

ISC2 estimated the global cybersecurity workforce to be at 5.5 million people, an 8.7% increase for 2023, representing 440,000 new jobs. While this is the highest workforce ISC2 has ever recorded, the demand for security specialists far outweighs the supply, with 92% of cybersecurity professionals reporting skill gaps at their organization.

ISC2 said the skills in top demand include cloud computing security (35%), artificial intelligence and machine learning (32%), and zero trust implementation (29%).

Economic uncertainty, tech layoffs, increased cyberattacks, and the complexities of an ever-evolving governance landscape, paired with new emerging technologies, are all factors linked to the gap in skill shortages affecting cybersecurity.

While some organizations turn to remote work, rewards, incentives, and career growth opportunities to attract and retain talent, other companies invest in AI, machine learning, and automation to close the gap.

Brown from Gartner spoke to Techopedia about the innovative solutions that federal agencies can explore to attract and retain the cybersecurity talent necessary.

“Given an unemployment rate of 3.5%, federal agencies will be particularly challenged.

 

“There are a range of other recruitment incentives that agencies can use, such as superior qualifications to address some degree of pay differential, advance leave earnings, student loan repayment, and monetary recruitment incentives.

“The Direct Hire authority, which streamlines federal hiring, has been used for cybersecurity positions for some time.

“Agencies can use these techniques to bolster recruitment efforts. Growing cybersecurity talent from within through employee development is also a recommended approach,” Brown added.

Leveraging Existing Resources

Shawn Waldman, CEO and Founder of Secure Cyber Defense, said federal agencies are going to have to work these initiatives into their already existing budgets and processes.

“This adjustment responds to last-minute budgetary changes and alterations, driven by a series of critical factors and binding operational directives issued by the Cybersecurity and Infrastructure Security Agency (CISA),” Waldman said.

“Federal agencies are still having difficulty attracting talent, which has been exacerbated by the private sector’s ability to offer significantly higher salaries and more flexible work-from-home options.”

 

“The allure of civil service positions, once prized for job security, is waning among younger generations.

“This skills gap, coupled with the agencies’ reliance on complex and outdated network infrastructures, is poised to exacerbate existing challenges and hinder the Federal Government’s capability to meet essential cybersecurity standards over time,” Waldman added.

“Agencies must consider their current infrastructure, threat landscape, budget constraints, and the specific measures required for compliance.”

U.S. Government Security Budgets Challenges

Gartner warned that with the September 2024 deadline for specific zero trust requirements for U.S. federal agencies coming closer. Agencies will have a hard time meeting these goals.

Brown from Gartner walked us through the budget situation in which federal agencies are.

“Given the typical delays for Congressional passage of the federal budget, funds will likely not be available for the zero trust initiative until the second quarter of fiscal 2024, allowing only a partial year to achieve goals.”

Additionally, Gartner highlights the shortage of specialized cybersecurity and compliance workers, opaque audits, and how the failure to deploy zero-trust operations effectively leaves federal agencies exposed to risks that could be mitigated.

“When the Office of Management and Budget (OMB) established zero trust requirements, there was a recognition that additional funding would not be immediately available,” Brown said.

“Agencies were directed to ‘internally source funds in FY22 and FY23’ and to ‘seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund‘.

“This meant finding trade-offs during those years, with FY 2024 being the first opportunity to build zero trust requirements into the President’s budget request to Congress.”

Brown explained that the Biden administration requested a $12.7 billion increase in cybersecurity funds for FY 2024.

“The protracted passage of appropriation bills for FY 2024 delayed cybersecurity funding, and reports indicate the Congress passed appropriations at a slightly lower $11.8 billion for cybersecurity funding this year,” Brown said.

“In short, agencies can only continue to include their zero trust needs in the regular formulation process for the President’s budget request and make tradeoffs among other initiatives failing additional appropriations.”

Zero Trust’s Broad Nature and Tight Deadlines

Implementing zero trust requires a holistic approach that expands across an organization and its connected parties, affecting its compliance and security teams, and all workers.

Given the broad nature of zero trust and the tight deadlines, federal agencies are under, Techopedia asked Brown how agencies can prioritize critical areas and whether a phased implementation of zero trust policies is the right way forward.

“Gartner recommends focusing on High-Value Assets, which are defined as systems where unauthorized access, use, disclosure, disruption, modification, or destruction impacts national security, foreign relations, economy, public confidence, civil liberties, or public health and safety.”

Waldman said that federal agencies should concentrate very heavily on locating critical data, server assets, virtual machines, and services.

“This alone could prove to be a giant undertaking as there may not be adequate documentation in place to uncover these,” Waldman said.

“Contract work is going to be critical in achieving just this step. Once this is complete, then work can proceed on trying to identify network traffic segmentation.”

Balancing Transparency and National Security

The Gartner federal agency prediction blog post explains that unlike other sectors, where zero trust progress and standards may be captured in audits, federal agency details are often limited or obfuscated to avoid giving away information to bad actors about the specific technical weaknesses found in the government’s cybersecurity.

“Some degree of public visibility and accountability for achieving zero trust objectives is provided through the annual Federal Information Security Modernization Act (FISMA) audits conducted by department and agency inspectors general (IG),” Brown explained.

The Cybersecurity and Infrastructure Security Agency (CISA) annually updates the metrics used by IGs in these audits, and they currently include some aspects of the zero-trust mandate.

“The public can see achievements against FISMA metrics at performance.gov.” Brown said. “The FISMA audit information is also used to form one of the graded areas for the Congressional Federal IT Acquisition Reform Act (FITARA) scorecard.”

“While the FISMA audits and FITARA scorecard provide some transparency, it is noteworthy that only eight of the 16 zero trust capabilities mandated for agencies by OMB are captured in those processes.”

How Can Federal Agencies Measure Zero Trust Success? Key Metrics and Benchmarks

Brown explained that federal agencies have a clear road ahead when implementing zero trust programs and policies, as well as clear documents that establish requirements, rules, and criteria to measure zero trust.

“The specific zero trust requirements were established by OMB memorandum M-22-09, which entails enough detail for some of the 16 requirements to provide measurement criteria,” Brown said.

“Where measurement criteria are not explicitly defined in M-22-09, other directives such as OMB memorandum M-21-31 on event logging, CISA Binding Operational directive 23-01 addressing endpoint detection and response, National Institute of Standards and Technology Special Publication 800-207 covering zero trust architecture provide criteria that can be used to measure progress.”

“Gartner recommends that agencies have a dedicated zero trust scorecard or measurement program that covers each of the 16 capabilities cited in M-22-09.”

A Three-Phase Zero Trust Deployment Model

Yiyi Miao, Chief Product Officer at OPSWAT, said that funding and skills gaps will always be a challenge at any cybersecurity maturity level.

“There will always be needs for additional layers of defenses, upgrading outdated technologies and continuous discovery and investment for blind spots, but these certainly shall not be excuses why zero trust cannot start at some of the base levels for quick returns.”

Miao explained that specifically for these challenges, good strategies include:

Adding layers of defenses: Rather than spending massive efforts and resources rearchitecting to achieve zero trust, organizations can consider layering additional defenses to reduce other risk factors that may ultimately return better than just focusing on users.

Replacing outdated technologies: Waves of new technologies come to the market every 2-3 years, like the explosion of cloud, big data, machine learning, and AI over the past decade. Trying to keep up with all the modern tech is simply unrealistic, but one must evaluate the efficacy of the current tech stack, specifically against the use cases, before choosing to upgrade and hope the tech itself will provide zero-trust implementation.

Investment for discovering blind spots: The reality is that there are blind spots, the “unknowns” or the “unidentifiable objects or processes.” It is advised to maintain a consistent baseline ideally considering all types of assets, including inventories of users, services, assets, and processes, and slowly start applying zero trust to only the most mission-critical elements.

Based on the strategies above, a phased approach can be summarized as follows:

  • Phase 1: Identify the baseline inventory, physical or digital perimeters, and criticality of the targets where zero trust needs to be introduced. Strategize the plan based on the accessibility of the targets, impact levels, and efforts to re-architect, and determine the priorities.
  • Phase 2: Assess the existing technology stack, evaluate efficacy for each applied use case, stack-rank the ROI, and replace/decommission bottom-up.
  • Phase 3: Add layers of defenses to areas where zero trust is infeasible to apply or simply too high cost and complexity may achieve the same goal.

“Federal agencies need bright minds to fight cybercrime,” Miao said.

Private Sector Partnerships

Miao added that federal agencies can also benefit from partnering with private companies. These partnerships would allow government workers to learn new ideas and skills from the private sector, and in return, private sector professionals could experience government cybersecurity firsthand.

Additionally, Miao said that using before-and-after reports of penetration tests, tech stack reports, user training stats, budget spending, and security incident numbers are good methods to measure progress.

The Bottom Line

Despite facing significant challenges, U.S. federal agencies must ramp up their zero trust efforts. The path forward requires a multi-pronged approach that addresses talent shortages, funding limitations, and tight deadlines.

Prioritizing critical assets, such as systems containing sensitive data or critical infrastructure, is key to securing the most valuable assets. Additionally, a phased approach can help agencies overcome roadblocks. By thinking big and taking small steps, confidence and momentum can be generated, while invaluable skills and resources can be gained.

Partnerships with private companies can also provide valuable expertise and additional resources to federal agencies as collaboration across government agencies can foster knowledge sharing and best practices.

Finally, metrics such as penetration testing results, user training completion rates, and security incident numbers can be used to track progress and identify areas for improvement. While achieving full zero trust may take time, demonstrable progress is essential to strengthen the security and compliance postures of all U.S. federal agencies.

Related Terms

Related Article