-1.png?width=980&height=90&name=FGT%20728%20x%2090%20px%20(980%20x%2090%20px)-1.png)
Presented by Booz Allen
Zero Trust is more than a cybersecurity framework—it’s a fundamental shift in how government agencies protect their networks, data, and operations. As the Department of Defense pushes toward its 2027 Zero Trust implementation goal, civilian agencies are also transforming their security postures to meet evolving threats. In this special program, sponsored by Booz Allen, I’ll talk with cybersecurity leaders from DISA, the State Department, GAO, and Booz Allen about the progress agencies are making, the challenges they’re facing, and the strategies that will define the future of Zero Trust across government.
Laying the Foundation: Zero Trust Implementation Across Agencies
Zero trust has become the defining cybersecurity framework for both the Department of Defense (DoD) and civilian federal agencies. With the DoD targeting full zero trust implementation by 2027, agencies are at varying stages of their journey. In a recent discussion on Fed Gov Today’s Zero Trust In Depth, Ryan Zacha, Solution Architect at Booz Allen, shared insights into how agencies are progressing and what best practices are emerging.
According to Zacha, many agencies have been implementing zero trust principles long before the term gained prominence. “It’s about taking fundamental cybersecurity concepts and refocusing them to build internal protections,” he explained. One of the first critical steps is inventory management—understanding where data resides, identifying devices on the network, and controlling their access.
A key takeaway is that zero trust is not a tool but a paradigm shift. Agencies must cultivate a security-first culture that challenges assumptions about data access and sharing. "It's not just about policies; it's about ensuring that every user and system interaction is scrutinized," Zacha noted. The ultimate goal is to develop real-time access controls and monitoring mechanisms that can adapt to evolving threats.
Another challenge in zero trust implementation is moving beyond legacy security models. The intelligence community, for example, has long operated with strict data access controls. However, many civilian agencies are accustomed to more open data-sharing environments. Adjusting these cultural differences while ensuring operational efficiency is a major hurdle in zero trust adoption.
Zacha also highlighted how emerging technologies such as AI and Secure Access Service Edge (SASE) are playing a role in advancing zero trust capabilities. AI and machine learning help agencies manage the vast amounts of data they collect, allowing them to identify anomalies and potential threats more efficiently. As agencies progress beyond the inventory phase, leveraging AI-driven analytics will be crucial for refining access controls and detecting security breaches before they escalate.
Expanding the Scope: Zero Trust in Action at DISA, State Department, and GAO
While agencies are at different stages of their zero trust journeys, many are making significant strides toward full implementation. Leaders from the Defense Information Systems Agency (DISA), the State Department, and the Government Accountability Office (GAO) shared their perspectives on how zero trust is shaping their cybersecurity efforts, the roadblocks they’ve encountered, and the solutions they’re deploying.
Chris Pymm, Zero Trust Portfolio Manager at DISA, emphasized that their role is to ensure that all defense agencies and field activities integrate zero trust principles into their networks and operations. “For some, it’s mandatory; for others, it’s voluntary,” he explained. DISA’s mission is to weave zero trust across the entire DoD enterprise—from traditional IT environments to tactical deployments on ships, aircraft, and military bases. The agency is also working with multiple combatant commands to help them reach the DoD’s 2027 zero trust target. Given the complexity of the defense ecosystem, DISA’s efforts extend beyond networks to endpoints, cloud environments, and classified systems, ensuring that 
all components operate under zero trust principles.
At the State Department, Manuel Medrano, Director of the Office of Cyber Monitoring, highlighted the agency’s unique challenges in implementing zero trust across its globally distributed network. “Our role in Diplomatic Security is to support the CIO and CISO while ensuring cyber defense operations are aligned with zero trust principles,” Medrano explained. The agency is prioritizing identity management and data security, which are crucial for protecting sensitive diplomatic communications. However, with embassies and consulates operating under different infrastructure constraints, ensuring a uniform zero trust approach is no small feat. Medrano stressed the importance of balancing cybersecurity with operational efficiency, ensuring that security measures do not hinder the ability of diplomats and staff to carry out their missions effectively.
Data management is another major hurdle, not just for the State Department but for all agencies implementing zero trust. Medrano noted that while agencies have always collected large amounts of data, the shift toward zero trust requires a more strategic approach to data collection, retention, and analysis. “It’s about making sure we’re collecting the right data based on new security controls,” he said. To optimize this process, the State Department is shifting to a “lakehouse” data architecture, keeping data closer to its source and bringing analytics to the data instead of moving massive amounts of information across networks. This method reduces costs and enhances security by limiting unnecessary data transfers.
GAO, which not only implements zero trust internally but also evaluates other agencies’ cybersecurity efforts, offers a unique perspective on the federal government’s progress. GAO CISO Mark Canter explained that his agency is further along in its journey, with most zero trust components already in place. “We’ve mapped our systems, secured our identities, and are now focused on refining access controls and behavioral analytics,” Canter said. He pointed out that one of the biggest challenges across agencies is unifying different data formats. “Data is often siloed, and we need standardized structures to make it more actionable,” he added. 
GAO’s experience highlights the importance of governance, policy alignment, and strong collaboration between cybersecurity, IT, and operational teams.
Looking ahead, all three agencies agree that continuous innovation will be key to sustaining zero trust efforts. Behavioral analytics, AI-driven threat detection, and data governance improvements will help agencies move beyond the foundational stages of zero trust and into a more dynamic, adaptive cybersecurity environment. Collaboration between government and industry will also play a vital role in refining strategies and ensuring that agencies stay ahead of emerging threats. While the road to full zero trust implementation is complex, the progress being made across the federal landscape demonstrates a strong commitment to a more secure future.
Please fill out the requested information below