Cyberattacks on defense agencies have become a constant threat. Recognizing that traditional network protections for cybersecurity are no longer enough, the Department of Defense (DoD) has prioritized a Zero Trust Architecture (ZTA) approach to better protect sensitive systems. However, many agencies struggle to apply these principles effectively without disrupting their operations.
At GovCIO Media & Research’s 2025 Defense IT Summit, I joined a panel of federal leaders to discuss how defense agencies are putting zero trust into practice. As I emphasized during the discussion, implementing ZTA doesn’t have to be a major undertaking. At Maximus, we help agencies apply zero trust in a way that boosts cybersecurity without adding complexity, slowing down users, or requiring a complete system overhaul.
Let’s take a look at some of the key takeaways from our discussion.
Embedding zero trust into IT modernization
Many federal agencies view zero trust as an IT project rather than a long-term security strategy that should align with broader modernization efforts. Monica Montgomery, Deputy Chief Information Security Officer for Management and Strategy at the National Geospatial-Intelligence Agency (NGA), described how NGA approached implementation by assessing security controls and identifying where zero trust principles could be integrated into existing systems instead of forcing a full overhaul.
Louis Koplin, Program Executive Officer for the Department of the Navy’s Program Executive Office for Digital and Enterprise Services, shared how the Navy’s Flank Speed initiative proved that zero trust can improve security without making access difficult for users. Designed to protect collaboration tools, Flank Speed applies ZTA principles and shows that agencies don’t have to sacrifice efficiency for stronger security.
Indeed, zero trust serves agencies most efficiently when built into modernization efforts rather than bolted on later. It works best when integrated into modernization strategies rather than treated as an isolated compliance requirement. While integrating zero trust is important, agencies often run into challenges that slow progress. Addressing these issues with adaptable solutions is key to making ZTA work at scale.
Overcoming zero trust challenges
ZTA approaches can improve security without creating barriers that make systems harder more difficult to use. Gurpreet Bhatia, Principal Director of Cybersecurity and Acting Chief Information Security Officer at the DoD, stressed that the goal is to reduce attack surfaces and improve threat detection, not just meet compliance requirements.
Bhatia’s goal is within reach. In fact, agencies don’t need to rebuild their entire IT infrastructure to implement zero trust. Instead, they can refine existing frameworks by learning from early adopters and tracking real-time security performance.
For many agencies, this means addressing common challenges:
- Managing identity and access: Disjointed authentication systems create security gaps and make it harder for users to securely access the resources they need.
- Detecting and responding to threats in real-time: Without constant monitoring, agencies struggle to identify and contain cyber threats before they escalate.
- Modernizing security without disrupting operations: Some agencies worry that zero trust will require expensive infrastructure changes or add unnecessary technical complexity.
Maximus helps agencies overcome these challenges by embedding zero trust into their existing environments without disruption. By consolidating identity and access management, we reduce credential sprawl and simplify authentication processes. Our 24x7x365 Security Operations Centers (SOC) provide real-time monitoring to detect and contain threats before they cause disruption. And instead of forcing agencies to replace entire systems, Maximus designs flexible security architectures that improve cybersecurity while preserving operations.
With this approach, agencies can make zero trust a functional part of their security strategy, not an operational obstacle.
Building zero trust for mission readiness
Zero trust is sometimes seen as just another compliance requirement, but for defense agencies, it is a strategy for resilience. Bhatia noted that success depends on better training, clear policies, and investments that reduce risk at all levels.
Maximus supports this approach by collaborating with DoD agencies to implement zero-trust-compliant DevSecOps, SOCs, and cyber architecture and engineering solutions that close security gaps while keeping systems operational.
It is important to think of zero trust as an iterative process rather than a one-time fix. The goal isn’t to check a box. Agencies need security that actually protects their people, data, and missions without getting in the way.
The future of zero trust in defense
Zero trust is not a static model. As artificial intelligence (AI and automation) reshapes cybersecurity, agencies must continue refining their strategies to stay ahead of new threats. Panelists agreed that zero trust must evolve alongside these technologies to remain effective.
Maximus supports agencies in designing modular, scalable security solutions that adapt without rip-and-replace methods. For defense agencies, the goal is clear. They need a security model that protects data, supports agency needs, and strengthens mission readiness. Maximus is here to help agencies get there.
For more insights, watch the full panel discussion from the 2025 Defense IT Summit.