There are a few things I noticed and I'll cover a few right now.
Firstly, they are talking about using microservices which would be ok (I've used a few microservices for specific applications that actualy make sense to service-ify) but I would by no means consider this a safer way of doing things. When you're talking about services run by our government, who isn't notorious for having their network-security done right, I'm very weary of them moving to a microservice architecture.
MTD is another thing that sounds concerning. This seems like the bottom of the barrel of security ideas and looks like it would be far more complicated then the other methods mentioned. If used this along would probably introduce more bugs.
"Education and Training" can basically be summed up as universities being stuck in the 70s and not teaching CS but teaching the Math that CS needs.
I think the idea of using micro services is that lessens the surface area of what you need to harden. In other words, it's easier to harden a simple service that just does one or a few things versus hardening a complex monolithic application.
I'd liken it to OOP encapsulation or the idea behind linux executables.
Moving Target, aka obfuscation, is one of best things you can do against serious attackers on top of solid baseline. Just obfuscating CPU as a non-Intel CPU masquerading as one protected many deployments of mine and others for years on end. The idea is the extra effort they put in on a per-client or per-site basis either breaks their attack entirely or makes you more likely to notice it.
(i) address space layout randomization: this is by no means impervious but it is worth doing
(ii) there being several "official" Etherium clients such that if somebody hacked just one client they could not take over the whole network.
