Top federal security and IT officials met recently to discuss cyber policy priorities for 2025, with a focus on maintaining zero trust, building awareness of threats against agency systems, securing the cloud and preparing for post-quantum cryptography, the interim federal chief information security officer said Wednesday.
At that joint meeting between the Council of Federal Chief Information Officers and the Federal Council of Information Security Officers (CISO), there was a discussion about “what comes next, and what do we see at the bottom so that you can go back to your team and have meaningful discussions about where your cyber strategy is,” Mike Duffy said. , Federal CISO, in CyberTalks, presented by CyberScoop. “We discussed four things and they are: ‘Please note this, federal CIOs and federal CIOs.’ Let’s see that through 2025.”
One of these four was promoting Zero Trust, a topic also discussed elsewhere in CyberTalks. Another reason was “operational visibility,” Duffy said. This means agencies are leveraging existing investments to “gain visibility across their environments and make a difference, make an impact and reduce risk individually, so we have visibility across government as a threat actor moves,” he said.
Another solution was to “enhance secure cloud environments,” Duffy said, by turning to the Federal Information Security and Infrastructure Security Agency's Secure Cloud Business Applications Project.
The other was quantum readiness, including post-quantum coding (PQC). “It is very important for agencies to think about their inventories, and how they plan to transition their critical systems to PQC, taking into account what the future holds and what the next steps could be,” Duffy said.
The November election will bring a new president, regardless of who wins between Democrat Kamala Harris or Republican Donald Trump.
Duffy said it's important for federal agencies to head into the new year with a “united effort.”
Looking ahead to policy developments in 2025 still involves a continuation of things that came before, he said. This means things like putting in place basic governance structures for things like artificial intelligence or secure software development, strengthening long-term “critical work” like multi-factor authentication and anti-phishing, and making good use of previous investments like those for continuous diagnostics and CISA mitigation. program.
