Three moves that can jumpstart cyber modernization — even wthout a full budget

Let’s be honest: most agencies don’t have a blank check to invest in cybersecurity modernization. But that doesn’t mean they’re stuck. You don’t need a full rip-and-replace to make meaningful progress; you need clarity, urgency and smart prioritization. Whether you’re working with a full budget or a shoestring one, there are moves you can make today that will strengthen your defenses tomorrow.

 Here are three quick wins that deliver impact in months, not years.

1. Enforce Phishing-Resistant MFA Across All Applications

Most agencies already have the tools — they’re just not using them consistently. Everyone’s got PIV cards. The problem is, they’re only used to log into the network. Once inside, it’s back to passwords for apps. That’s where attackers strike. According to CISA, 32% of breaches involve phishing attacks and 78% of cyber-espionage incidents are enabled by phishing. Enforcing MFA across all applications closes a major gap and aligns with federal mandates. It’s low-cost, high-impact and long overdue.

2. Encrypt Critical Data at Rest and in Transit

Encryption isn’t glamorous, but it’s essential. Think of it like locking your suitcase before you check it at the airport. You can’t stop someone from touching it, but you can make sure they don’t see what’s inside. Agencies should prioritize encryption for systems handling PII, financial data and mission-critical operations. It’s a foundational move that protects even when perimeter defenses fail.

3. Deploy Microsegmentation Around Vulnerable Legacy Systems

You can’t patch them. You can’t replace them. But you can contain them. Legacy systems are often the soft underbelly of federal networks — built decades ago, running outdated code and impossible to modernize quickly. Microsegmentation creates secure zones around these assets, preventing lateral movement and reducing the blast radius if compromised.

And the need is urgent. According to the GAO, eight of the 11 most critical federal legacy systems rely on outdated programming languages like COBOL and Assembly and seven have known cybersecurity vulnerabilities that cannot be remediated without modernization. These systems support essential missions like health care, tax processing and national security — and they’re years behind schedule.

If you’re building a longer-term roadmap, here are three foundational priorities:

1. Strong Identity & Access Management

Identity is the foundation of zero trust. You can validate every login, but if someone gets in, you need to contain the blast. Layered controls like microsegmentation quietly reinforce your defenses, limiting lateral movement even after access is granted.

2. Integrated Telemetry & AI-Driven Threat Analysis

Visibility is everything. Agencies must harness telemetry across endpoints, networks and applications — and use AI to make sense of it. Microsegmentation plays a supporting role here too: by isolating systems, it reduces noise and helps threat detection tools focus on meaningful signals.

3. Cultural Adoption & Workforce Enablement

Zero trust isn’t just a tech upgrade—it’s a mindset shift. Agencies must invest in training, cross-functional collaboration and policy engineering. At DOI, we built a zero trust community of practice. Over 200 people got certified. That was the most effective thing we did.

And let’s not ignore the elephant in the room: skilled personnel shortages. Legacy systems often require niche expertise and federal agencies struggle to compete with private-sector salaries. Add cloud complexity and fragmented authority structures and it’s clear that modernization must be strategic, not sprawling.

Cybersecurity isn’t about perfection. It’s about progress. And with the right moves, even a modest budget can deliver outsized impact.

Lou Eichenbaum is the Federal CTO at ColorTokens. He previously served as CISO at the Department of the Interior. This is the second piece in a three-part contributed series.