Through 2026, 75% of U.S. federal agencies will fail to implement zero trust security policies due to funding and expertise shortfalls, according to Gartner, Inc.
Gartner defines zero trust as a security paradigm that starts from the baseline of trusting no end user, and explicitly identifies users and grants them the precise level of access necessary to accomplish their task. Zero trust is not a specific technology, product or service. Instead, it is a set of security design principles that contrasts with the traditional perimeter-based security approach.
“With the September 2024 deadline for specific zero trust requirements for U.S. federal agencies being established, requirements are broad for all agencies,” said Mike Brown, Vice President Analyst at Gartner. “However, consistent with other compliance deadlines, agencies will struggle to meet these goals. Given the typical delays for Congressional passage of the federal budget, funds will likely not be available for the zero trust initiative until the second quarter of fiscal 2024, allowing only a partial year to achieve goals.”
Agencies Implementing Zero Trust Face Near-Term Hurdles
Although zero trust achievements, or lack thereof, may be captured in audits, public reporting on specific details of zero trust progress may be limited or obfuscated. This is to avoid identifying weaker aspects of government cybersecurity for the benefit of malicious actors.
“One of the main impediments for government agencies in their zero trust journey is a cybersecurity skills shortage,” said Brown.” Government agencies are challenged to compete with the private sector for staff with necessary skills. To address these talent shortages, agencies should be working simultaneously with service contracts, to reskill existing staff and to recruit new staff.”
Failure to meet policy deadlines will continue to leave federal agencies exposed to risks that could be mitigated.