Federal cybersecurity needs to evolve faster than threats

U.S. government cybersecurity leaders are entering a pivotal moment as AI advancements, the approaching post‑quantum era, and persistent workforce shortages have created a new operational reality. The structures and processes that once supported cyber programs are no longer keeping pace with rapid change. Federal agencies must manage evolving threats while also advancing innovation and meeting mission demands.

In a GovExec‑moderated interview, Guidehouse’s Nancy Sieger and Cindi Bassford surface several key themes that all point to a central issue: Quantum computing and the recent government restructuring present the biggest cybersecurity risks. 

Watch the video: 


 

A shifting threat landscape 

Once a distant concern, quantum security risk is rising fast as the threat environment changes. Although no one can pinpoint the exact moment that quantum capabilities will be able to break widely used encryption, experts agree on the inevitability. Equally concerning, many of them believe that data is already being exfiltrated for future decryption. Waiting for quantum to arrive will only result in a more costly, disruptive response. 

Cyber leaders need to understand their current posture, map existing cryptographic dependencies, and synchronize network refresh cycles with existing budget windows. With proper planning, they can fold much of the cost to do so into their normal operations and maintenance budget.  

But quantum computing risk is only one part of the picture. As agencies plan for a post‑quantum future, a more immediate priority demands attention: establishing continuous identity verification as a foundation of a resilient cybersecurity posture. 

Identity challenges at the core of zero trust 

Identity verification sits at the heart of zero trust frameworks, yet many federal identity access and management environments weren’t built for today’s AI‑driven operations. Non‑human identities such as bots, service accounts, automation workflows, and AI agents are common across environments—yet many lack clear ownership or consistent credential management. Without that visibility, identify shifts from being the first line of defense to becoming a growing vulnerability. 

At the same time, the human side of zero trust can’t be ignored. With smaller teams supporting aging legacy systems, modernization progress slows down—making it difficult for incident response teams to stay ahead of issues. The strain on teams creates its own risk in the form of eroded team capacity. Rather than continuing the cycle of “doing more with less,” leaders should use automation to remove low‑value tasks so that those smaller teams can focus on mission‑critical decisions. 

While AI is beginning to ease some of this pressure by taking on routine, repetitive tasks, it must be integrated thoughtfully. Identity verification alone can’t carry the weight of a comprehensive, modernized cybersecurity posture. Governance processes must evolve to match the pace of increasingly automated operations. 

When governance trails threats 

Traditional governance structures are struggling to keep pace with the complexity of the environments they are meant to protect. Many agencies still depend on static documentation, screenshots, and periodic audits to manage their cyber posture. These insufficient, paper‑driven processes can’t reflect the real‑time, “always on” configurations of cloud‑based, API‑driven systems. The results are familiar: authorizations that take too long, emergence of dynamic risks, and skilled staff pulled from mission‑critical work to address avoidable issues. 

An engineering-led approach 

Engineering‑led modernization offers a way forward. Agencies that shift toward automated evidence collection, integrated telemetry, and continuous validation demonstrate that compliance can keep pace with operations. These approaches reduce months of manual work, improve accuracy, and give leaders a clearer view of their environment. Importantly, automation helps return valuable staff time to strategic priorities and delivers a critical advantage in a resource‑constrained era.  

New priorities for cyber leaders 

Modernization starts with rethinking how cybersecurity operates across the enterprise. Governance and compliance tools must shift from static documentation to real‑time insights. Instead of relying on single views, agencies can use the telemetry already built into cloud environments to understand configuration changes, control drift, and emerging vulnerabilities. The challenge is bringing these data streams together in ways that tie directly to mission impact. 

Collaboration remains a powerful advantage. Efforts such as FedRAMP 20X and CISA’s updated information‑sharing protections show how quickly government and industry can move when security is treated as a shared responsibility. Leaders who embrace transparent, co‑created approaches can strengthen resilience across their ecosystems. 

A phased plan for mission momentum 

Cybersecurity modernization doesn’t happen in a sweeping, overnight transformation. The journey involves taking deliberate steps to strengthen resiliency while continuing mission operations. A phased plan allows agencies to build momentum while they address daily mission demands. The key is to start now through a practical approach that strengthens identity, aligns governance with real‑time operations, and embeds engineering rigor into daily workflows. Each incremental move reduces risk, restores capacity, and helps agencies adapt alongside new technologies and evolving threats.