More than 60 percent of federal agencies expect to meet goals for implementing zero trust cybersecurity by the end of September 2024 and another 21 percent expect to meet most of the goals by then, according to a new study that was commissioned by General Dynamics Information Technology (GDIT).

The study, Agency Guide to Zero Trust Maturity, also found that 90 percent or more of respondents to the survey say their top investment priorities are device protection and cloud, topping priorities in other areas such as secure access service edge, micro-segmentation, and artificial intelligence, all of which would “most benefit mission efforts.” It says 47 percent put AI investment as a top priority.

“For example, micro-segmentation reduces the attack surface and AI facilitates granular data protection, both of which are critical to enabling the mission,” the report says.

The Cyber Center of Excellence within GDIT, a business unit of General Dynamics [GD], partnered with the independent research firm Market Connections to survey 300 pre-qualified federal mission and information technology decisionmakers, 60 percent of whom work for civilian agencies and the rest for defense agencies.

The survey comes a year after President Biden’s sweeping executive order on cybersecurity directed federal agencies to achieve certain zero trust goals by the end of fiscal year 2024.

That 49 percent of respondents believe they will meet all their zero trust security requirements on time and 14 percent will meet the requirements early shows “significant progress,” the report says. Other positive results include 92 percent being somewhat or very confident in their agency’s security capabilities and at least half saying their agency is at an optimal or advanced maturity level in all five pillars of the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model, the report says.

“Until recently, zero trust was an obscurity for many in government, but expertise is growing and more than a third say they are experts or are knowledgeable about zero trust,” the study says.

Having to rebuild or replace legacy infrastructures is the top challenge to implementing a zero trust architecture, according to 58 percent of respondents, followed by determining the right set of technologies needed, 50 percent of respondents say. The next four challenge areas in descending order are lack of IT staff expertise, 48 percent, costly investment, 46 percent, the need to change an agency’s cybersecurity philosophy or culture, 37 percent, and a lack of internal resources to manage, 34 percent.

Regarding the views of defense and civilian agencies, 61 percent and 37 percent, respectively, see costly investment as a challenge, and 45 percent versus 26 percent view a lack of internal resources as a challenge.

“Moving to zero trust means starting from the ground up, requiring a significant investment—including replacing or rebuilding legacy infrastructure and mission systems built on ‘implicit trust,’” says the report. “Legacy systems across the government rely on this model, which has in many cases, proven unreliable and allowed malicious actors to gain access to systems and move around without granular controls offered by zero trust in place. Agencies should focus on introducing zero trust gradually by starting with areas that need the most attention and deliver quick wins.”