With the 2027 zero trust strategy deadline looming, the Department of Defense (DOD) has seen submissions increase from 38 implementation plans last year to 58 this year. The increase signals progress, but the deeper challenge is how to operationalize zero trust architecture (ZTA) in federal environments that were not designed for this model in the first place.
I recently joined Randy Resnick from the Department of Defense’s Zero Trust Portfolio Management Office and Dr. Brian Herman from the Defense Information Systems Agency (DISA) for a GovExec TV panel to discuss how agencies are handling this transition. The conversation reflected a shared understanding: ZTA is less of a framework to adopt than a practice to sustain. The agencies making progress are basing their efforts on measurable outcomes.
Here are some of the takeaways from our discussion.
A cultural break from traditional IT
Adopting ZTA requires more than overlaying new tools or platforms onto existing systems. It calls for overall cultural changes in how teams think, make decisions, and manage access across environments.
As I shared during the panel, ZTA breaks the traditional command and control (C2) framework that has defined IT operations across DOD for decades. Security, network, and system administrators now need to work as one, in real time, with shared ownership over identity and access decisions.
Changing this mindset has meant encouraging cybersecurity professionals to move away from familiar practices toward a more integrated and continuous model. This cultural adjustment requires consistent training, policy updates, and visible leadership involvement to reinforce new behaviors.
Collaboration depends on shared outcomes
As agencies adapt, outcome-based engagement has become an important strategy. Instead of asking for feature sets, the DOD defines what success looks like and then invites vendors to design solutions around those goals.
This strategy has yielded meaningful progress, including DISA’s Thunderdome program. Built over three years, Thunderdome integrates identity and access management, endpoint compliance, and threat response into a unified platform. A rigorous third-party assessment confirmed it meets stringent ZTA criteria.
As the panel emphasized, when agencies define what success looks like and allow room for innovation, public-private collaboration becomes far more productive.
Shared environments need shared ownership
Progress is complicated by the fact that most agencies manage mixed systems, including cloud-based services and on-premises applications. Dr. Brian Herman of DISA explained that any ZTA model built for real-world use must account for this nuance from the beginning, especially when working across highly variable environments. Some parts of the network can adopt new capabilities quickly, while others require more nuanced approaches.
Thunderdome was engineered with that variability in mind. Its flexibility is one reason it succeeded. The design focused on tools and integrations that could work across hybrid environments, and the result was an architecture capable of operating in both cloud-native and resource-constrained settings. The same principle applies to ZTA efforts across federal agencies. To be successful, solutions need to work across technical boundaries and support day-to-day operations without disruption.
Federal agencies see better results when they work with partners to implement ZTA principles in real-world environments. Key factors include bringing IT and mission leaders together to align strategy with operational constraints and designing implementations around the systems, processes, and conditions that already exist.
Data practices reflect institutional habits
Another challenge is data tagging and classification. While some platforms support structured labeling, much of the data management across federal systems remains unstructured or inconsistent. Improving visibility starts with better labeling, down to the sentence or word level. This not only supports access control but also drives secure collaboration with coalition partners.
Artificial intelligence (AI) and machine learning (ML) offer ways to automate classification and tagging at scale. Even incremental adoption of appropriate AI/ML tools could significantly improve secure data sharing across defense, intelligence, and civilian agencies.
Automation follows change
To keep up with emerging threats, agencies are prioritizing automation to reduce manual workload and focus analyst attention on more complex incidents that require human judgment as well as expertise. Randy Resnick, who leads the DOD’s Zero Trust Portfolio Management Office, noted the DOD aims to automate 80 percent of defensive cyber actions by the end of fiscal year 2027. Agencies are also adapting behavior models from the commercial space to detect insider threats more effectively.
But these tools only work when built on thoughtful design and reliable data. Having worked on ZTA from both the government and industry sides, I have seen the importance of balancing automation efforts with sound data management and operational readiness.
At Maximus, we see culture, not technology, as the most persistent challenge in ZTA implementation. Our cybersecurity services help defense agencies adjust to these changes through workforce development, systems integration, and strategic execution. We support efforts focused on automation, access, secure data sharing, and long-term adaptability.
Discover more
For more insight into the strategies behind achieving measurable ZTA progress, watch the full panel discussion.