A survey finds a majority of federal IT managers say replacing legacy technology is the biggest challenge to implementing federal zero-trust mandates. Pictured: President Joe Biden speaks in the South Court Auditorium on the White House campus May 10, 2022, in Washington. (Photo by Drew Angerer/Getty Images)

It’s taken Congress many years to grasp the connection between IT modernization and cybersecurity. While the Biden administration has tapped the Technology Modernization Fund in recent years to dole out hundreds of millions of dollars for cybersecurity-focused projects over the past year, those figures almost certainly represent just the opening salvo.

A new survey of 300 federal IT and program managers reinforces that connection, with nearly six out of every 10 respondents cited rebuilding or replacing their existing legacy technology infrastructure as the top challenge facing their implementation of White House zero trust security mandates by 2024.

The survey, conducted in February by General Dynamics Information Technology, finds that most agencies feel they are progressing in their efforts to implement a slew of new cybersecurity requirements formally issued by the Biden administration in January, but it also underscores how much more work is left to be done.

Matt Hayden, a vice president of client engagement at GDIT, said despite the “fully loaded” approach by the Biden administration to pump modernization dollars into cybersecurity projects over the past year, large patches of the federal IT environment remain unsuited to a modern security architecture like zero trust.

“When we saw those results, the experience, to me, immediately jumps large data centers that just weren’t designed with this type of framework in mind or legacy applications that kind of that perimeter approach to security as opposed to the per-operation view of security,” said Hayden, who served as assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security until this year and as a senior advisor to CISA before that, in an interview. “Those aren’t going to be easy to convert and so those are going to need to be either modernized or replaced.”

Longstanding concerns implementing zero trust at the federal level

While modernization concerns were top of mind, three other challenges — dealing with the associated costs, figuring out how to translate the mandates to specific technology procurements and navigating a lack of IT expertise on staff — speak to longstanding concerns voiced by agency tech and cybersecurity leaders.

The conversation on funding has been particularly worrisome for some agencies, including many smaller and micro-agencies that often have acute experience with all three of the constraints listed above. Because of differences in size, budget, mission and existing IT environments, each agency’s journey to implementing their own zero-trust architecture will likely be unique.

“You just look at the resource levels of the CFO Act agencies — and even within CFO Act and down to the medium and small [agencies], I don’t think that you can have a one-size-fits-all approach,” Chris DeRusha, federal chief information security officer, told SC Media in April. “I think as we start to get all that information in [from agencies] we’ll see what the common themes are of where agencies may feel gapped or not able to achieve a certain outcome as we start to … move forward with budget proposals.”

That same month, DeRusha’s predecessor, Greg Touhill, told SC Media he favored a shared-services approach whereby larger agencies or a third-party entity could help manage parts of the zero-trust transition for smaller agencies.

Hayden argued the survey results, with about half of respondents saying they were on track to meet all their requirements, reflect both tremendous progress by the federal government writ large and a warning to pay more attention to the “small to complex agencies that are in effect reaching out for help with these results.” Like Touhill, he also floated the possibility of a shared services model for agencies with more immature IT security.

“CISA and [the Defense Information Systems Agency] are going to have a great opportunity to work with those that are candidly saying, ‘We’re not going to hit that timeline unless we get some additional help here to prioritize,’” he said.

The roots of zero trust go back to many older core security principles, including the concept of “least privilege” whereby access to systems and data is doled out only to those who need it, and high-level administrator access is severely restricted. It’s little surprise that a majority of respondents (57%) cited “the right users [getting] the right access to the right resources at the right time” as the most attractive benefits of the zero-trust push for federal agencies. A related outcome, reducing the risk of a data breach, was the second most cited answer at 46%.

A number of agencies overseeing or supporting the shift have put out their own resource and guidance. Of those choices, most found the guidance set forth by the Office of Management and Budget to be the most useful. While 52% of feds said they were following the guidance from CISA's Zero Trust Maturity Model, just 15% reported that it was the helpful. The survey also found that “maturity levels do not necessarily lead to confidence in an agency’s ability to defend itself from cyber threats.”

Hayden said CISA has always worked to get resources or guidance out as quickly as possible and then refining those products as they engage with practitioners and stakeholder organizations. He expects the perception of the maturity model to improve over time.

“CISA is going to keep that as a living document and they’re going to work to include that feedback from agencies and that number is going to rise,” he predicted.