DOJ asks for $110.3M for zero trust

The Justice Department is asking Congress for $149 million for its Justice Information Sharing Technology fund in fiscal 2027, and $110.3 million of that increase is tied specifically to zero-trust cybersecurity work. In the prior two fiscal years, Congress appropriated $38.5 million for that program, so this is a much bigger ask than what DOJ has recently been getting. (justice.gov) (fedscoop.com) That request is not for a shiny new app. It is for the plumbing that decides which person, which laptop, and which system gets access every single time they try to connect. (whitehouse.gov) (cisa.gov) The federal government moved this way after the SolarWinds breach in 2020, when attackers slipped through trusted software updates and reached multiple agencies. In January 2022, the Office of Management and Budget told agencies they had to meet specific zero-trust goals by the end of fiscal 2024 because perimeter defenses were no longer enough. (fedscoop.com) (whitehouse.gov) Zero trust starts from one blunt assumption: no user, device, network, or service gets automatic trust just because it is already inside the building. The White House memo describes the shift as moving from “verify once at the perimeter” to checking each user, device, application, and transaction on a continuing basis. (whitehouse.gov) The Cybersecurity and Infrastructure Security Agency breaks that work into five buckets: identity, devices, networks, applications and workloads, and data. That list sounds abstract until you realize it means keeping a live map of who owns access, which machines are healthy, what apps are talking to each other, and where sensitive files actually sit. (cisa.gov) DOJ says its current funding is below what it needs to cover more than 275,000 endpoints and about 160,000 users. In plain English, that is a department so large that “just ask the one admin who knows how this works” stops being a security plan and starts being a liability. (fedscoop.com) The budget document says the money would support zero-trust architecture for both unclassified systems and national security systems. FedScoop reports DOJ says a shortfall would force it to stop deploying three core pieces: a central identity provider platform, a cloud-based network broker, and tools for endpoint detection, response, and mobile threat detection. (justice.gov) (fedscoop.com) A central identity provider is the system that keeps one authoritative answer to “who are you” across many applications. A cloud-based network broker is the traffic cop that checks the request before letting a user reach a system, instead of waving them through because they happened to get onto the network once. (fedscoop.com) (whitehouse.gov) This is why zero trust often produces management artifacts as much as security tools. To enforce least-privilege access, an agency has to document identity flows, system ownership, device status, and approval chains in enough detail that another operator can step in without guessing. (cisa.gov) (whitehouse.gov) DOJ is also making this request after cyber funding was cut by $108 million in fiscal 2024 and then stayed essentially flat, according to its justification quoted by FedScoop. So the fight here is not over whether zero trust is still the federal model; it is over whether one of the government’s biggest law enforcement departments gets enough money to finish building it. (fedscoop.com) (whitehouse.gov)