.png)
This Fiscal Year’s Federal Zero Trust Progress: An Expert Q&A
With the close of federal funding, it’s the perfect time to look back at the changes we’ve seen to government cybersecurity this past fiscal year. Many agencies have been focused on strengthening their cybersecurity posture. Zero Trust has been at the center of these efforts, moving from a niche concept to a core security strategy.
We recently sat down with Illumio’s Public Sector CTO, Gary Barlet, to discuss the evolution of Zero Trust in the U.S. federal government.
In our conversation, Gary shared his insights on the state of Zero Trust in government, this year’s federal zero-trust transformation, and how zero-trust tech like microsegmentation is modernizing federal cybersecurity.
Q: The U.S. federal government has been talking about Zero Trust for a few years. How have you seen agencies’ zero-trust initiatives evolve over the past year?
A: There’s been a big shift in how people understand in the last few years. We used to spend a lot of time educating folks on Zero Trust. Now, more people know what it is. We’re spending more time discussing what a zero-trust strategy should look like for their agency’s unique needs.
One key thing people are waking up to is that there’s no single zero-trust product. Zero Trust is a strategy that involves using multiple technologies together.
I do think there’s still a bit of what I’d call an unhealthy fixation on identity. A lot of people still think Zero Trust means identity, but I'm starting to see that changing.
I think the biggest change I’m seeing is how people are thinking about zero-trust technologies. A lot of this comes down to exposure. Security teams may not fully understand how complex their networks have become. They may not realize that we’ve developed better, easier ways to secure this complexity under a zero-trust model. There are ways to get quick wins early in the zero-trust journey that weren’t available just a few years ago.
Q: In your experience, what are the roadblocks agencies run into when building Zero Trust?
A: A lack of resources is a major challenge right now. Agencies often deal with tight budgets, not enough people, and cyber skills gaps. It’s tough for them to compete with private companies that have more resources and benefits to attract skilled workers. I do think new AI tech can help alleviate some of these resource challenges.
Another challenge is the mindset – and this is true for both the public and private sector. Agencies sometimes aim for perfection and get stuck. Zero-trust guidance like CISA’s Zero Trust Maturity Model (ZTMM) and the Department of Defense’s Zero Trust Reference Architecture presents Zero Trust as a linear, step-by-step process where you can check off each step. But that’s not the reality of how Zero Trust gets done. It’s an ongoing process. You have to work on many areas at once and accept that you’ll never be perfect, just better.
There’s also a need to change the thinking that a breach means failure or that it’s only the security team’s problem. Breaches are going to happen. A lot of times, their origin is outside of the security team’s control, like a phishing email. Cybersecurity is everyone’s responsibility. It takes a level of awareness across the entire government.
Q: You’ve been calling attention to the cyber skills gap in the federal government. How do public-private sector partnerships like those supported by FedRAMP help fill this gap?
A: Public-private partnerships have a multiplier effect. They offer agencies the flexibility they need to keep up with new tech, risks, and compliance requirements.
Private organizations can partner with the government as a trusted advisor. They bring specialized knowledge that would often be impossible for agencies’ own teams to learn. It’s a great way for public and private sector security professionals to learn from each other and share insights.
If we can share information, we remove silos and improve cybersecurity together.
Q: What role are you seeing automation and AI play in federal government cybersecurity?
A: Like any organization, security automation and AI can help teams work faster and bridge the skills gap. But the risk of using these tools gets amplified in the government space.
When building and training AI models, there’s a risk of exposing sensitive information, including employees’ and citizens’ data. The technology is so new that we haven’t yet figured out a way to clearly track where training data is coming from or how it will be shared publicly.
AI models can also have built-in biases. AI algorithms are built by humans, and their training data often comes from human input. Humans have biases, often ones that aren’t obvious to us. It’s nearly impossible at this point to spot and fix the ways AI is taking on our biases. This can be a major issue in government.
Citizens are required to rely on and share information with government organizations. Any kind of bias from the government could cause harm to citizens – and may even have life or death implications.
.webp)
Q: Looking ahead, what impact do you see zero-trust technologies like microsegmentation having on federal cybersecurity strategies?
A: Zero Trust is already speeding up cybersecurity modernization for federal agencies. Tech like microsegmentation is helping agencies move away from relying solely on preventing and detecting breaches towards containing breaches.
A positive change we’re seeing is that more people are recognizing that security is everyone’s job.
Zero-trust tech requires better visibility into the network and more collaboration across teams. People are getting used to better security protections. It’s now more common to ask why certain protections aren’t in place rather than why they are.
But as cybersecurity becomes a mainstream topic, I think there’s a risk that we could become complacent. Until the public demands better protection, security measures might not advance as fast as needed. I’m hopeful that better and more frequent conversations around cybersecurity will help continue the momentum we’re seeing now.
Build Zero Trust at your agency with Illumio Government Cloud, now FedRAMP® Authorized. Learn more in the FedRAMP Marketplace.
