US still prioritizing zero-trust migration to limit hacks’ damage

LAS VEGAS — The U.S. government is still pushing agencies to adopt zero-trust network designs, continuing a project that gained steam during the Biden administration, a senior cybersecurity policy official said on Wednesday.

“It must continue to move forward,” Michael Duffy, the acting federal chief information security officer, said during a panel at the Black Hat cybersecurity conference. “That architectural side of it is very important for us to get right as we integrate new technologies [like] artificial intelligence into the ways we operate.”

Zero-trust networking emphasizes the concept of throwing up hurdles to hackers who penetrate a computer system, limiting the damage they can do by sealing off parts of the network and requiring strict user authentication.

The Biden administration in early 2022 required agencies to adopt zero-trust architectures on their networks. The Biden White House’s timeline “has since lapsed,” Duffy said, but “the foundational expectations remain, and they will continue to remain.”

“The roadmaps at federal agencies are in place,” Duffy added. “A lot of that work is architectural in nature.”

The comments from a top Trump administration cybersecurity official — albeit one serving in an interim role — suggest that the new administration sees value in some of its predecessors’ cyber priorities.

Now that agencies are several years into adopting zero-trust principles, Duffy said, the next big push from the government will be about “showing and demonstrating that zero trust is a way of thinking, a way of architecting, a way of operating that has to be available for all of us … because of the threats that we’re seeing from AI and beyond.”

“We need to make sure that that blast radius [of an attack] is as narrow as possible,” he said, “because our time to respond is increasingly narrow.”

Duffy’s team inside the White House’s Office of Management and Budget has been encouraging federal agencies to prioritize the adoption of technologies that can speed up their ability to spot cyberattacks. Duffy said he pays close attention to calculations of how long it takes defenders to detect, respond to and mitigate intrusions. Those “are important measures for us to take in and consider when we’re making policy,” he said, “because that shows us that we’re on the right track.”

Duffy spoke on the panel alongside Chris Butera, the acting head of the Cybersecurity Division at the Cybersecurity and Infrastructure Security Agency. In addition to overseeing CISA’s work assisting the rest of the government with cyber defense, Butera helps protect the agency’s own computer systems, and he said Wednesday that CISA’s own zero-trust journey illustrates some of the difficulties of making major changes to an enterprise’s network.

“It’s very hard to grade an entire organization against zero trust,” he said. “We all have various systems in various states of modernization, different identity management and access management solutions.”

As it modernized its networks, Butera said, CISA asked itself, “Are we getting the right telemetry, are we using our tools effectively, and do we have the right relationships with our vendor community to actually understand how we can best utilize their [products]?”

Successfully migrating a network to zero-trust architecture also requires broadly communicating the value of the changes, which can at times be disruptive to network users, according Butera.

“You have to explain zero trust across your whole community,” he said. “Not everyone wakes up and says, ‘I love doing cyber everyday. I love doing IT everyday.’ That’s not the world we live in.”

Read more news from Black Hat USA 2025 here.