The Zero Trust cybersecurity concept is decades old. But in the sprawling and porous federal government, it’s the hot new thing.

President Biden made it a key component of his “Executive Order on Improving the Nation’s Cybersecurity” last May. In response, the White House Office of Management and Budget issued a memorandum in January announcing a Zero Trust architecture (ZTA) strategy that requires agencies to “meet specific cybersecurity standards and objectives by the end of Fiscal Year(FY) 2024 in order to reinforce the Government’s defenses against increasingly sophisticated and persistent threat campaigns.”

To some, that might sound like an announcement that federal workers will soon be issued devices like the stuff your parents used. Zero Trust was popularized in 2010 by John Kindervag, then Vice President and Principal Analyst on the Security and Risk Team at Forrester Research, but its origins go back to 1994, in a doctoral thesis on computational security by Stephen Paul Marsh, now a professor at the University of Ontario Institute of Technology.

Still, 28 years later, in an industry where a single decade amounts to a couple of generations, moving to a Zero Trust strategy remains a very good thing, according to multiple experts. It’s just that the less good news is that it is likely to take yet more time—years—for government to get all the way there.

On the good-news front, Kindervag himself, now Senior Vice President, Cybersecurity Strategy, at ON2IT Cybersecurity, wrote about a year ago in the Wall Street Journal that Zero Trust remains relevant and effective.

“The hallmark of zero trust is simplicity,” he wrote. “When every user, packet, network interface, and device is untrusted, protecting assets becomes simple.”

As the NIST Computer Security Resources Center put it in SP 800-207, “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location … or based on asset ownership (enterprise or personally owned).”

Travis Biehn, Technical Strategist with the Synopsys Software Integrity Group, said although he doesn’t consider the concept cutting-edge since “the AppSec industry has considered the network to be an ineffective control for decades,” he still thinks a Zero Trust strategy at just about any level of maturity is “the lowest-effort, highest-return thing to pursue for any organization. It’s great.”

“In spite of our historic distrust of the network, it’s a new concept for old organizations all over the planet—government or not,” he said. “Getting all that software a modicum of protection against malicious network participants is a huge deal.”

And Dr. Robert Blumofe, Executive Vice President and CTO at Akamai, said that “whatever age we ascribe to it, it’s clear to me that the key concepts are still not widely adopted. I think of zero trust as a very strong form of the principle of least privilege. Zero trust isn’t being used enough.”

It isn’t that the IT world overall is just starting to implement Zero Trust. From a tactical touchpoint, Zero Trust has been enacted across many organizations. Still, if it’s so relevant and effective, why isn’t it mainstream in government by now, given that one of the federal constitutional duties is to “provide for the common defense”? These days, software security is as important as military hardware. In many cases, it runs military hardware.

Multiple experts say that’s not surprising because government IT has always been ponderously slow, in part because it has problems of scale—the bureaucracy is massive and unwieldy.

And, obviously, no presidential Executive Order, however well intended, can make that problem disappear. So, on the bad-news front, don’t expect ZTA to be embedded throughout the federal government anytime soon. Check the caveats in the announcements of the initiative, and it looks like it may take years longer than the target of Fiscal Year 2024.

CISA, in a June 2021 draft of its “Zero Trust Maturity Model,” wrote that “The path to zero-trust is an incremental process that will take years to implement,” and that “Legacy infrastructure and systems may not support a zero trust implementation.”