75% US federal agencies to miss zero trust security implementation by 2026

Through 2026, 75% of U.S. federal agencies will fail to implement zero trust security policies due to funding and expertise shortfalls, according to Gartner, Inc.

Gartner defines zero trust as a security paradigm that starts from the baseline of trusting no end user, and explicitly identifies users and grants them the precise level of access necessary to accomplish their task. Zero trust is not a specific technology, product or service. Instead, it is a set of security design principles that contrasts with the traditional perimeter-based security approach.

“With the September 2024 deadline for specific zero trust requirements for U.S. federal agencies being established, requirements are broad for all agencies,” said Mike Brown, Vice President Analyst at Gartner. “However, consistent with other compliance deadlines, agencies will struggle to meet these goals. Given the typical delays for Congressional passage of the federal budget, funds will likely not be available for the zero trust initiative until the second quarter of fiscal 2024, allowing only a partial year to achieve goals.”

Agencies Implementing Zero Trust Face Near-Term Hurdles
Although zero trust achievements, or lack thereof, may be captured in audits, public reporting on specific details of zero trust progress may be limited or obfuscated. This is to avoid identifying weaker aspects of government cybersecurity for the benefit of malicious actors.

“One of the main impediments for government agencies in their zero trust journey is a cybersecurity skills shortage,” said Brown.” Government agencies are challenged to compete with the private sector for staff with necessary skills. To address these talent shortages, agencies should be working simultaneously with service contracts, to reskill existing staff and to recruit new staff.”

Failure to meet policy deadlines will continue to leave federal agencies exposed to risks that could be mitigated.

“This could lead to the interruption of vital government services or the compromise of sensitive information, both of which would have a significant fiscal impact on resolving what could be prevented,” said Brown. “Security breaches will occur as even the best cybersecurity implementations are not immune. Still, those agencies and their CIOs who fail to fully and promptly adopt zero trust measures will be subject to the most negative scrutiny. A breach often catalyzes the focus and investment in mitigation, which is a predictable need.” Gartner