/
Cyber Resilience

What 2024 Taught Us About Federal Zero Trust Momentum — and What’s Next in 2025

As federal agencies move deeper into their Zero Trust journey, the focus is shifting from why to how.  

The discussions today aren’t about justifying Zero Trust. They’re about building Zero Trust strategies that work in the complex federal government cybersecurity landscape.  

Last month, Gary Barlet, Illumio’s public sector CTO, shared his insights on federal Zero Trust momentum in the Federal Executive Forum webinar series hosted by the Federal News Network. In his discussion with other government cybersecurity experts, he emphasized how important moving from theory to action will be for agencies in the new year.

Here’s how federal leaders can apply these lessons to build resilient Zero Trust architectures for 2025 and beyond.

From "what is Zero Trust" to "how to operationalize it"

According to Barlet, the dialogue around Zero Trust in government cybersecurity has evolved throughout 2024.  

“No longer do I go in and meet with federal leaders and have to start with explaining what Zero Trust is and why it’s important,” he explained during the webinar. “Now, we’re having conversations about not what is it or should I do it, but how should I do it.”

This shift shows a maturing landscape where Zero Trust principles are widely accepted.  

For federal cyber leaders, their focus should be on strategic implementation of Zero Trust. This includes paying attention to these three key areas:

1. Securing north-south and east-west traffic

East-west network traffic is the internal movement of data within an organization. Traditional security tools focus on north-south traffic at the network perimeter. This leaves east-west traffic inside the network with no security and vulnerable to breaches.

“It’s not just about who gets into the network, but where they go once inside,” Barlet explained.

This nuance is often overlooked but crucial in stopping cybercriminals from spreading through the network, also called lateral movement.

How do you protect east-west traffic? Microsegmentation.

Microsegmentation is foundational to any Zero Trust strategy. In fact, John Kindervag, the creator of Zero Trust, addressed segmentation his second-ever report on Zero Trust a decade ago:

Highlighted excerpt from a document discussing the limitations of VLANs in network segmentation, emphasizing the need for new segmentation methods and default segmentation in future networks.

“Let’s assume something bad is going to happen,” Barlet said. “How can we minimize the impact of that? How can we ensure one little bad thing doesn’t turn into a complete cyber disaster? The answer is microsegmentation.”

Federal agencies must prioritize microsegmentation to compartmentalize network environments, he explained. By segmenting workloads and enforcing granular policies, agencies can contain breaches before they can become major cyber incidents.  

2. Understanding perceived vs. actual network behavior

One of the most striking observations Barlet shared was the gap between perceived and actual network behavior.  

“When we walk in the door and draw [clients] a map of all the interconnections happening on their enterprise, they’re often surprised,” he said. “They’ll say, ‘My guys showed me a PowerPoint slide with a line going from point A to point B.’ And we have to tell them, ‘That’s not showing you everything.’”

Agencies can’t protect what they can’t see. This highlights the importance of real-time visibility that can offer an accurate, dynamic picture of what’s happening inside the network. Visibility is the cornerstone of any Zero Trust strategy.

3. Adopting a breach-containment mindset

Barlet also highlighted the need for a shift in mindset — from preventing breaches to containing them.

While preventing breaches is the ideal, the reality is that determined adversaries often find ways in. The question then becomes: How do you limit the damage?

“Agencies are starting to wake up to the conversation of, ‘OK, let’s assume something bad’s going to happen. How do we ensure it doesn’t spiral out of control?’” he noted.  

By focusing on reducing the blast radius of a breach, agencies can significantly improve their resilience and avoid halting operations. This means breaches stay small and have minimal impact on your agency.

Key Zero Trust insights for federal agencies for 2025

Barlet and the other federal cybersecurity experts shared their top insights for agencies focused on building Zero Trust in the new year:

  1. Embrace real-time visibility: Agencies must invest in tools that provide a comprehensive view of east-west traffic and interdependencies across their networks. These insights are essential for understanding and addressing vulnerabilities.
  1. Prioritize microsegmentation: By segmenting workloads and enforcing granular access controls, agencies can limit the lateral movement of attackers and protect sensitive data.
  1. Adopt breach containment: Assume that breaches will happen and focus on reducing their impact. This includes planning for worst-case scenarios and building systems that can contain threats effectively.
  1. Collaborate across teams: Implementing Zero Trust isn’t just a technical challenge — it’s a cultural one. Agencies need buy-in from leadership and collaboration across IT, security, and operations teams.
  1. Leverage automation: Automation is critical for scaling Zero Trust strategies. From continuous monitoring to dynamic policy enforcement, automated tools can help agencies stay ahead of threats.

Looking ahead: The role of leadership in Zero Trust

One of the most encouraging trends Barlet has observed going into 2025 is the growing commitment from federal leadership on building Zero Trust.  

“From the senior leadership levels on down, they’re really starting to acknowledge and embrace these concepts,” he said. This top-down support is crucial for driving change and ensuring that Zero Trust becomes ingrained in agency culture.

As we move into 2025, federal agencies have a unique opportunity to build on the progress made over the past few years. By continuing on their Zero Trust journey, they can create resilient systems that stand up to even the most sophisticated threats.

Zero Trust is no longer a buzzword — it’s a strategic imperative.  

Watch the full Federal Executive Forum Zero Trust Strategies in Government Progress and Best Practices 2024 webinar.

Learn more about how Illumio Zero Trust Segmentation can help your agency get granular visibility, contain breaches, and reduce risk.

Related topics

Related articles

4 Cybersecurity Essentials Every Federal Agency Should Be Implementing
Cyber Resilience

4 Cybersecurity Essentials Every Federal Agency Should Be Implementing

Learn why cybersecurity leaders are emphasizing the necessary shift towards a Zero Trust mindset to adapt to new threats.

8 Questions CISOs Should Be Asking About AI
Cyber Resilience

8 Questions CISOs Should Be Asking About AI

Discover 8 questions CISOS must consider when protecting their organizations from AI-assisted ransomware attacks. This is a must-read.

6 Expert Recommendations on Zero Trust for Government Agencies
Cyber Resilience

6 Expert Recommendations on Zero Trust for Government Agencies

Get the 6 key recommendations from the recent GovExec webinar on implementing Zero Trust and application segmentation.

John Kindervag's 3 Zero Trust Truths for Government Agencies
Cyber Resilience

John Kindervag's 3 Zero Trust Truths for Government Agencies

Get insight from John Kindervag on the key Zero Trust truths government agencies need to know as they comply with Zero Trust mandates.

6 Expert Recommendations on Zero Trust for Government Agencies
Cyber Resilience

6 Expert Recommendations on Zero Trust for Government Agencies

Get the 6 key recommendations from the recent GovExec webinar on implementing Zero Trust and application segmentation.

Take These 3 Next Steps If Your Government Agency is Building Zero Trust
Cyber Resilience

Take These 3 Next Steps If Your Government Agency is Building Zero Trust

Zero Trust is a journey, not a destination. Get Gary Barlet's expert insights on the next steps agencies and commands should be taking as they're building Zero Trust.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?