A holistic approach to transitioning to a fully mature zero trust architecture
Implementing zero trust requires a significant cultural shift within all levels of an agency, as zero trust does not start and stop with IT professionals.
The White House recently released a memo directing agencies to ensure their fiscal year 2026 budgets reflect the five pillars outlined in the National Cybersecurity Strategy. In particular, it encourages agencies to continue the transition towards fully mature zero trust architectures and updated zero trust implementation plans that document current and target maturity levels for high impact systems in line with the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model.
The memo comes at a crucial time as federal agencies are racing to meet the White House’s September 30 deadline to move toward zero trust. As agencies continue transitioning to fully mature zero trust architectures and developing detailed implementation plans, there are several factors that that will foster a solid foundation for their zero trust goals.
Cultural and organizational change during implementation
Implementing zero trust requires a significant cultural shift within all levels of an agency, as zero trust does not start and stop with IT professionals. Zero trust is an all-encompassing effort and is the responsibility of the entire agency and its leadership. Securing buy-in from executive leadership and including acquisition professionals and engineers in conversations about the agency’s zero trust implementation plans is crucial. This culture change often requires re-education and ongoing training to ensure that all agency leadership and staff are aligned with the new security protocols and understand the critical importance of their role in maintaining the integrity of the agency’s systems and data.
As these discussions unfold, it’s important that leadership also grasps the fundamental shift in the security approach that zero trust represents. Rather than traditional security measures that rely on perimeter defenses to keep threats out, zero trust relies on a “never trust, always verify” concept — scrutinizing every action and access request, ultimately re-enforcing the importance of all levels within an agency to be vigilant about potential threats. Through education initiatives, leadership can better understand how zero trust takes a proactive approach to security, rather than the reactive measures of the past.
Leadership plays a crucial role in the successful implementation and maintenance of zero trust protocols. Their support is instrumental in driving the necessary changes and ensuring that resources are allocated effectively. When leaders are committed to zero trust principles, they set a tone that encourages widespread adoption and adherence across the agency.
Prioritizing progress over perfection
The CISA Zero Trust Maturity Model is built on five key pillars: identity, device, network/environment, application and workload, and data. These pillars form a comprehensive approach to continuously validating and securing an organization’s digital environment. In the journey towards fully mature zero trust architectures, agencies must prioritize measurable progress across the five pillars rather than striving for perfection in each area. They can achieve this by working on all pillars simultaneously, making progress in each based on individual needs and vulnerabilities, rather than trying to perfect any one pillar. By identifying where their greatest needs and vulnerabilities lie within each pillar, agencies can implement measures that address those weaknesses immediately.
There will never be a “one-size-fits-all” solution for zero trust, and agencies looking to make progress on their zero trust goals must tailor architectures and implementation plans to their unique stage of the cybersecurity journey. As agencies work on each pillar, they must prioritize continuous improvement with small but impactful wins that recognize the dynamic nature of cyber threats and are better equipped to adapt to the evolving landscape.
By setting realistic, incremental goals, agencies can adapt to new challenges more effectively and continuously enhance their defenses. This method ensures that efforts are not stalled by the pursuit of perfection, which can be both time-consuming and resource intensive.
Regularly evaluating progress in each pillar enables agencies to identify areas of strength and weakness. This allows for more targeted investments and adjustments, ensuring that security measures remain effective and relevant over time.
Collaboration among agencies strengthens cybersecurity
In the journey toward fully mature zero trust architectures, collaboration among federal agencies is not just beneficial — it is essential. Initiatives like program management offices for zero trust and integrating zero trust principles in governance frameworks are steps in the right direction. The complex and evolving nature of cybersecurity threats demands a unified and coordinated approach, where agencies work together to share knowledge, best practices and resources.
Agencies can also work together to share how zero trust segmentation (ZTS) offers a path forward to combat evolving threats and address various vulnerabilities. ZTS breaks down networks into smaller segments and isolates critical assets — reducing the risk of lateral movement by attackers within the system, protecting sensitive information, and maintaining operational continuity, even in the event of a breach. ZTS can serve as a common ground for collaboration, enabling agencies to implement consistent security measures across segments while tailoring specific defenses to their unique needs.
By collaborating, agencies can share critical information about emerging threats, vulnerabilities and successful defense strategies. This collective intelligence helps agencies stay ahead of adversaries, enabling them to respond more effectively to attacks and reduce the risk of being caught off guard. Knowledge sharing also fosters innovation, as agencies can learn from each other’s experiences and apply proven solutions to their own security challenges.
The success of zero trust implementations should be measured using metrics and verified through practices like red team testing. Of equal importance is celebrating short-term wins. Demonstrating zero trust successes develops greater buy-in and builds positive momentum.
Building a resilient federal cyber defense
The White House memo underscores the urgency of transitioning to fully mature zero trust architectures as part of their FY26 budget planning. By embracing cultural and organizational shifts, prioritizing progress over perfection, and fostering collaboration across agencies, the federal government can strengthen its cybersecurity posture.
These approaches not only safeguard government assets but also enhance the overall security landscape, ensuring resilience against increasingly sophisticated threats. As agencies continue to make strides in implementing zero trust, their collective efforts will contribute to a more secure and unified federal infrastructure.
Gary Barlet is public sector chief technology officer at Illumio.
A holistic approach to transitioning to a fully mature zero trust architecture
Implementing zero trust requires a significant cultural shift within all levels of an agency, as zero trust does not start and stop with IT professionals.
The White House recently released a memo directing agencies to ensure their fiscal year 2026 budgets reflect the five pillars outlined in the National Cybersecurity Strategy. In particular, it encourages agencies to continue the transition towards fully mature zero trust architectures and updated zero trust implementation plans that document current and target maturity levels for high impact systems in line with the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model.
The memo comes at a crucial time as federal agencies are racing to meet the White House’s September 30 deadline to move toward zero trust. As agencies continue transitioning to fully mature zero trust architectures and developing detailed implementation plans, there are several factors that that will foster a solid foundation for their zero trust goals.
Cultural and organizational change during implementation
Implementing zero trust requires a significant cultural shift within all levels of an agency, as zero trust does not start and stop with IT professionals. Zero trust is an all-encompassing effort and is the responsibility of the entire agency and its leadership. Securing buy-in from executive leadership and including acquisition professionals and engineers in conversations about the agency’s zero trust implementation plans is crucial. This culture change often requires re-education and ongoing training to ensure that all agency leadership and staff are aligned with the new security protocols and understand the critical importance of their role in maintaining the integrity of the agency’s systems and data.
As these discussions unfold, it’s important that leadership also grasps the fundamental shift in the security approach that zero trust represents. Rather than traditional security measures that rely on perimeter defenses to keep threats out, zero trust relies on a “never trust, always verify” concept — scrutinizing every action and access request, ultimately re-enforcing the importance of all levels within an agency to be vigilant about potential threats. Through education initiatives, leadership can better understand how zero trust takes a proactive approach to security, rather than the reactive measures of the past.
Learn how DLA, GSA’s Federal Acquisition Service and the State Department are modernizing their contract and acquisition processes to make procurement an all-around better experience for everyone involved.
Leadership plays a crucial role in the successful implementation and maintenance of zero trust protocols. Their support is instrumental in driving the necessary changes and ensuring that resources are allocated effectively. When leaders are committed to zero trust principles, they set a tone that encourages widespread adoption and adherence across the agency.
Prioritizing progress over perfection
The CISA Zero Trust Maturity Model is built on five key pillars: identity, device, network/environment, application and workload, and data. These pillars form a comprehensive approach to continuously validating and securing an organization’s digital environment. In the journey towards fully mature zero trust architectures, agencies must prioritize measurable progress across the five pillars rather than striving for perfection in each area. They can achieve this by working on all pillars simultaneously, making progress in each based on individual needs and vulnerabilities, rather than trying to perfect any one pillar. By identifying where their greatest needs and vulnerabilities lie within each pillar, agencies can implement measures that address those weaknesses immediately.
There will never be a “one-size-fits-all” solution for zero trust, and agencies looking to make progress on their zero trust goals must tailor architectures and implementation plans to their unique stage of the cybersecurity journey. As agencies work on each pillar, they must prioritize continuous improvement with small but impactful wins that recognize the dynamic nature of cyber threats and are better equipped to adapt to the evolving landscape.
By setting realistic, incremental goals, agencies can adapt to new challenges more effectively and continuously enhance their defenses. This method ensures that efforts are not stalled by the pursuit of perfection, which can be both time-consuming and resource intensive.
Regularly evaluating progress in each pillar enables agencies to identify areas of strength and weakness. This allows for more targeted investments and adjustments, ensuring that security measures remain effective and relevant over time.
Collaboration among agencies strengthens cybersecurity
In the journey toward fully mature zero trust architectures, collaboration among federal agencies is not just beneficial — it is essential. Initiatives like program management offices for zero trust and integrating zero trust principles in governance frameworks are steps in the right direction. The complex and evolving nature of cybersecurity threats demands a unified and coordinated approach, where agencies work together to share knowledge, best practices and resources.
Agencies can also work together to share how zero trust segmentation (ZTS) offers a path forward to combat evolving threats and address various vulnerabilities. ZTS breaks down networks into smaller segments and isolates critical assets — reducing the risk of lateral movement by attackers within the system, protecting sensitive information, and maintaining operational continuity, even in the event of a breach. ZTS can serve as a common ground for collaboration, enabling agencies to implement consistent security measures across segments while tailoring specific defenses to their unique needs.
By collaborating, agencies can share critical information about emerging threats, vulnerabilities and successful defense strategies. This collective intelligence helps agencies stay ahead of adversaries, enabling them to respond more effectively to attacks and reduce the risk of being caught off guard. Knowledge sharing also fosters innovation, as agencies can learn from each other’s experiences and apply proven solutions to their own security challenges.
Read more: Commentary
The success of zero trust implementations should be measured using metrics and verified through practices like red team testing. Of equal importance is celebrating short-term wins. Demonstrating zero trust successes develops greater buy-in and builds positive momentum.
Building a resilient federal cyber defense
The White House memo underscores the urgency of transitioning to fully mature zero trust architectures as part of their FY26 budget planning. By embracing cultural and organizational shifts, prioritizing progress over perfection, and fostering collaboration across agencies, the federal government can strengthen its cybersecurity posture.
These approaches not only safeguard government assets but also enhance the overall security landscape, ensuring resilience against increasingly sophisticated threats. As agencies continue to make strides in implementing zero trust, their collective efforts will contribute to a more secure and unified federal infrastructure.
Gary Barlet is public sector chief technology officer at Illumio.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
DoD agencies confront zero trust challenges, misunderstandings ahead of 2026 deadline
Marines banking on identity services as zero trust foundation
Zero trust and AI continue as top cyber priorities in second half of 2024