Across the public sector, the “never trust, always verify” or “Zero Trust” concept used in cybersecurity has risen in prominence to become mandated at the highest levels of government. The basis of Zero Trust is that, as far as IT infrastructure and data are concerned, no user, device, or process is trusted by default, whether inside or outside the network.
It’s a proven approach designed to overcome legacy security models that leave organizations exposed to threat actors who routinely use tactics such as misconfigurations, stolen credentials, malware and file-based attacks to infiltrate networks and move laterally across systems.
Given the risks this presents to public sector bodies and critical national infrastructure, the removal of trust by default is now imperative. The problem is, many organizations remain behind the curve: according to Gartner, one in three have yet to implement a Zero Trust strategy, with these networks subject to significant gaps in protection, particularly as adversaries grow more sophisticated and attack surfaces expand.
From principle to practice
So, why does Zero Trust implementation continue to suffer from inertia? Firstly, many organizations treat Zero Trust as a policy goal rather than an ongoing process. In practical terms, this means that initiatives can stall at the planning stage, with frameworks established on paper but not subsequently translated into new processes or investment.
Then there are various technology issues to contend with. These range from working with fragmented or legacy infrastructure that’s difficult to adapt and misconfigured identity and access management systems to inconsistent authentication and verification practices, among various others.
It’s also not uncommon for responsibility for Zero Trust adoption to end up spread across departments, with no single owner to drive change or measure maturity. At the same time, public-sector funding cycles and complex procurement rules make it difficult to sustain the multi-year investment needed to replace outdated systems and retrain staff. The situation is further complicated by a fragmented vendor landscape, where overlapping tools and inconsistent standards make integration complex and prone to error.
Wherever the gaps appear, they can create opportunities for threat actors. This is a huge problem for every organization, but for agencies handling classified data or mission-critical systems in particular, these weaknesses can have national-level consequences. The inherent complexity of these environments, which rely on highly interconnected networks, third-party contractors, and legacy systems, only serves to multiply the number of potential attack vectors.
The government-wide Zero Trust agenda
Recognizing these realities, the government’s Zero Trust agenda has accelerated significantly, with federal cybersecurity strategy entering a new phase of implementation. Agencies are now expected to demonstrate measurable progress toward Zero Trust maturity, guided by clearly established frameworks.
For instance, CISA’s Zero Trust Maturity Model (ZTMM) provides a structured roadmap across five pillars (identity, device, network, application, and data) to define a clear path to optimal maturity. This model has become the benchmark for assessing progress and aligning standards across both public and private sectors.
Within the wider federal landscape, progress is happening almost everywhere. For instance, defense and intelligence networks are leading the way in operationalizing Zero Trust. Examples include the Army Unified Network Plan (AUNP) 2.0, which provides a strategic blueprint for modernizing network infrastructure and establishing a secure digital backbone that links tactical units, command centers, and every level in between through protected data exchange. Similarly, the Department of the Navy (DON) has outlined a phased plan through FY2030 to integrate Zero Trust principles across everything from enterprise IT services to tactical systems.
These developments are part of a broader shift toward integrating Zero Trust as the foundation of U.S. cybersecurity resilience. Crucially, they also underline the importance of addressing persistent blind spots across data, hybrid cloud, supply chain and insider threat domains that can undermine even the most advanced architectures. File-based malware and ransomware, in particular, remain a major weakness, often evading detection-based defences even in advanced Zero Trust environments. But, by integrating Zero Trust principles into day-to-day workflows, government agencies can meet key national objectives for safeguarding critical systems at every level.
