Federal agencies are well on their path to digital transformation, but in recent years, a shift has occurred: Agencies are recognizing that zero trust is the surefire pathway to a secure-by-default configuration.
Yet more than three years after the release of the Executive Order on Improving the Nation’s Cybersecurity, misunderstandings about the nature of zero trust still abound. Some IT and cybersecurity leaders don’t understand that zero trust is not a push-button solution; it’s a cybersecurity philosophy.
Agencies need to understand that there doesn’t have to be a binary decision between securing identities and securing the perimeter. In the modern, cloud-based environment, identity security is the key to securing the perimeter, which is now outside the network boundaries. And that doesn’t have to be complicated for end users. Multifactor authentication, for example, can actually be easier than keeping up with passwords for the end user, while also being more transparent and secure.
Now, with the upcoming 2026 deadline to accelerate enterprise cloud adoption for the Defense Department, the industry is seeing lots of hunger for zero trust solutions. Frank Cundiff, senior customer solutions manager with the Navy Team at Amazon Web Services, has witnessed mission owners that have been in the cloud for several years now looking at the DoD framework as a catalyst for change and improvement.
“A lot of mission owners [say] ‘we’re in the cloud. We’re operating. How do we modernize, how do we get better with security, with performance, with value? How can we operate cheaper and better?’” said Cundiff. “A lot of what I do day to day is working with our mission owners directly to do well-architected framework reviews and understand how we can help them accelerate mission objectives.”
This is the key, Cundiff said: Start small, then scale. Agencies need to assess their environments first, and work with their cloud service provider and partners to find where they are already achieving zero trust as laid out in the DoD Zero Trust Framework, where they have capabilities that are underutilized and can be leveraged to achieve zero trust compliance, and where there are gaps that need to be filled in, and determine how best to do so.
Struggling with data
One major challenge agencies are experiencing is the segmentation of data. That’s because many agencies, even as they move from a primarily on-premises model to a hybrid cloud solution, still have certain data they must keep on-premises for reasons of privacy or national security.
One way to address this balance is through a platform or tool that connects on-premises data to cloud analytics solutions. This allows agencies to unlock data and get the reporting and analysis they need, all while maintaining their security considerations.
“But at the end, back to the user, what’s their experience? Can they access the data?” said Ted Wagner, vice president and chief information security officer at SAP National Security Services (SAP NS2). “In this digital age, we really have to unlock all this information for the benefit of the mission of the organization.”
Sharing responsibility
Agencies also struggle with adapting to the shared responsibility model of cloud-based cybersecurity. Many cybersecurity tasks in this model are outsourced to the cloud service providers (CSP), but agencies are still responsible for implementing zero trust architecture.
Some agencies, such as the Navy, even have a three-way shared responsibility model. The stakeholders include the mission owner, the CSP, and a cloud service manager.
“That cloud service manager works with [the Defense Information Systems Agency] to understand the security controls,” Cundiff said. “They assist the mission owner with their authority to operate packages. They provide a good portion of core services to those mission owners to accelerate and assist them in their cloud journey.”
And that’s a good place to start with zero trust implementation: Accounting for controls based on who’s responsible for them. That creates a clear delineation of responsibility and transparency among the stakeholders, while also providing a baseline for communication.
That transparency and communication is important. Government agencies are very interested in the configurations of the architecture itself and how applications actually work. This transparency can give agencies confidence in their chosen cloud services.
“I think that the suite of security products are evolving every day, and that there are more opportunities to implement all the pillars of zero trust with the new technology,” Wagner said. “When a government organization finds itself in a roadblock, then I think they should look around and get input from their integrators or their suppliers; can they find a new way to implement one of the pillars of zero trust that they’ve had challenges in the past?”
The post DoD agencies confront zero trust challenges, misunderstandings ahead of 2026 deadline first appeared on Federal News Network.