Government agencies embrace the "zero trust" cybersecurity future

A security practice that few know how to define will take up a lot of the federal government's and the private sector's attention this year: zero-trust architecture.

The big picture: Federal agencies are racing to meet a September 2024 deadline to transition to it — and companies are looking to the government for guidance on what an esoteric zero-trust framework actually looks like.

How it works: "Zero trust" refers to a combination of security principles that can take several forms. Simply put, the idea focuses on limiting employees' internal access to the documents and files they need for their jobs.

• To do this, organizations audit what classified information is stored online, which employees and third-party digital tools have access to that info, and what additional security layers are needed to keep hackers out.
• One common zero-trust practice is multifactor authentication (MFA), where users input a code to further verify their identity beyond an easy-to-steal password.

Why it matters: Security experts have long held a zero-trust framework as the gold standard for organizations since it would minimize the impact a hacker with a stolen employee password could have.

• Many of the most notable security incidents, including the 2021 Colonial Pipeline ransomware attack, stem from hackers obtaining one stolen password to break in.

Catch up quick: The White House ordered all civilian government agencies last year to establish and implement a zero-trust plan by the end of September 2024 under the administration's zero-trust strategy.

• The plans must include adoption of a "phishing-resistant" form of MFA, maintain inventories of digital assets, and segment individual networks from other agencies.

Details: Cybersecurity consultants and lobbyists tell Axios that most of the zero-trust conversation this year will focus on the White House's ability to aid federal agencies in their mandated transitions.

• This year's appropriations and budgeting cycle is the last opportunity to ensure federal agencies have the funds they need to meet the 2024 deadline.
• In the private sector, companies are eyeing the government's approach for clear standards on what should be included in a zero-trust framework, Matt Gorham, leader of PwC's Cyber & Privacy Innovation Institute, tells Axios.

Between the lines: Federal CISO Chris DeRusha tells Axios his office is helping agencies overcome a handful of hurdles in their transitions, including modernizing their technology so it's capable of supporting things like MFA and finding talent to help assist in the transition.

• "The hurdles here are similar to hurdles we've experienced in decades in modernizing federal IT," DeRusha tells Axios.
• Matt Keller, vice president of federal services at GuidePoint Security, tells Axios that some agencies are "a little bit behind the curve" and still working on documenting their assets — the first step in determining what zero-trust would look like for their offices.

The intrigue: The private sector has been leading the way in adopting zero-trust ideas — providing valuable insights that the public sector can learn from.

• 36% of CISOs said in a recent PwC survey that they had already started implementing zero-trust components, while 25% said their organizations would start doing so in the next two years.

Yes, but: Zero trust isn't a total silver bullet for securing a company.

• This framework protects a network only if a hacker gets in through accessing an employee's accounts, which many sophisticated attacks don't need to be successful.

Sign up for Axios’ cybersecurity newsletter Codebook here.