
Zero Trust in 2026: From Federal Mandate to What Agencies Buy
DISA's Thunderdome cleared DoD's hardest zero trust bar two years early, and CISA is now telling civilian agencies to retire TIC 2.0 for SASE. The story has shifted from compliance to procurement.
Uniqcli Newsroom · · 6 min read
Industry Trends
The federal zero trust story quietly flipped from compliance to procurement
In April 2025, a DoD CIO purple team validated that DISA's Thunderdome program had scored a perfect 152 out of 152 capability outcomes — clearing the department's most demanding "advanced" zero trust level more than two years before the FY2027 deadline. That milestone signals a broader shift: the defining question in federal networking is no longer whether agencies will hit the mandate, but what they are actively putting on RFPs to get there.
Three clocks, not one
Buyers routinely conflate three separate deadlines. The first belongs to civilian agencies: OMB Memorandum M-22-09, issued January 26, 2022, required non-DoD agencies to meet specific zero trust goals across five pillars — identity, devices, networks, applications and workloads, and data — by the end of FY2024. As of that September 30, 2024 deadline, the 24 CFO Act agencies were reported to be in the high-90-percent range on completion of the essential elements.
The second and third clocks belong to Defense. DoD Directive-Type Memorandum 25-003, issued July 2025, directs all DoD Components to reach at minimum "target level" zero trust across unclassified, classified, and control-system environments by the end of FY2027 (September 30, 2027). "Target level" corresponds to 91 of the capability outcomes defined in the 2022 DoD Zero Trust Strategy; the full "advanced level" adds 61 more for a total of 152, carrying a separate FY2032 deadline for IT systems.
These are three different obligations on three different timelines. A civilian agency measuring itself against CISA's maturity model is not on the same schedule as a DoD Component chasing target level, and neither is bound by the FY2032 advanced-level horizon. Reading a single "deadline" into federal zero trust is the first mistake to avoid.
The guidance cadence
CISA set a shared vocabulary, then a steady stream of playbooks
Across 2025 and 2026, CISA moved from framework to specifics — publishing implementation guidance on the exact architecture shifts agencies are now funding.
Maturity Model 2.0
CISA's Zero Trust Maturity Model organizes federal guidance around five pillars plus cross-cutting capabilities, rating agencies across Traditional, Initial, Advanced, and Optimal stages. It is the common yardstick agencies and vendors reference in requirements.
SASE for TIC 3.0
On June 24, 2026, CISA published "The Journey to Zero Trust: Using SASE in a Modern TIC 3.0 Solution," a vendor-agnostic guide directing civilian agencies to replace legacy MTIPS/TIC 2.0 perimeter architecture with cloud-delivered Secure Access Service Edge.
Learn moreMicrosegmentation, Part One
CISA's July 2025 "Microsegmentation in Zero Trust, Part One" targets non-technical management audiences on planning the move away from flat, perimeter-trust networks, with a more technical Part Two planned as a follow-up.
Zero trust for OT
On April 29, 2026, CISA — with DoD, DOE, FBI, and State — published the first comprehensive federal guidance applying zero trust to operational technology, stating plainly that "blanket application of traditional IT-focused ZT capabilities to OT is neither reasonable nor feasible."
Learn moreZTNA is displacing the VPN concentrator
The most visible architectural change is at the remote-access edge. Gartner projected that by 2025 at least 70 percent of new remote-access deployments would use Zero Trust Network Access rather than VPN, up from under 10 percent in 2021 — a benchmark that helps explain why agencies are procuring identity-aware proxies and SASE stacks instead of refreshing VPN concentrators. CISA's June 2026 SASE guidance formalizes that direction for civilian agencies.
The market data tracks the shift. The global ZTNA market is projected to grow from an estimated $1.34 billion in 2025 to $4.18 billion by 2030, a 25.5 percent compound annual growth rate, with Palo Alto Networks, Zscaler, Cloudflare, Microsoft, Check Point, Teleport, and Cisco named among the leading vendors. For the defense industrial base, CMMC requirements are expected to begin appearing in DoD contracts as early as October 1, 2026, adding further pressure to adopt compliant tooling.
What agencies are actually procuring
The 2025-2026 buying pattern
Program activity points to four active categories. Thunderdome's own stack — enterprise ICAM, commercial SASE, and SD-WAN, built on Palo Alto Networks Prisma Access and Versa Networks under an IDIQ ceiling of $1.86 billion over five years — reads as a template for the wave that follows.
- Identity: phishing-resistant MFA built on PIV/CAC-based PKI and FIDO — treated as the single highest-impact identity control under both M-22-09 and the DoD strategy; CISA cites USDA's early FIDO deployment as a success story predating the mandate
- SASE and SD-WAN bundles: cloud-delivered secure access edge that pairs ZTNA-style identity-aware access with networking, replacing MTIPS and VPN concentrators
- FedRAMP-authorized microsegmentation: Illumio Government Cloud reached FedRAMP Moderate ATO on September 5, 2024; ColorTokens announced FedRAMP Moderate authorization for its Xshield platform on January 12, 2026
- Network access control and identity-aware proxies for internal application access, as agencies retire flat, perimeter-trust network designs
Filter the noise before it reaches a requirement
The volume of zero trust content has produced its own hazard: confident but unverifiable claims. One widely circulated example holds that CISA issued a binding operational directive mandating zero trust for all federal agencies by December 31, 2026, with identity-aware-proxy-only access required by Q3 2026. It does not hold up. CISA's actual 2026 binding operational directives are BOD 26-02 (mitigating risk from end-of-support edge devices, February 5, 2026) and BOD 26-04 (prioritizing security updates based on risk, June 10, 2026) — neither is zero-trust-specific. The claim traces to low-quality secondary sources and should be treated as unverified and excluded from planning.
Also worth noting for accuracy: Executive Order 14347, signed September 5, 2025, authorizes "Department of War" as a secondary title for DoD in non-statutory communications, and the department now uses war.gov — but only Congress can legally rename the department. When guidance carries that branding, it is the same DoD zero trust program under a different masthead. Uniqcli screens the provenance of every requirement it sources against primary CISA and DoD publications, so a fabricated deadline never becomes a line item.
Common questions from federal and SLED buyers
Is there really a hard December 2026 deadline for all federal agencies to have zero trust fully implemented?
No single deadline like that exists. Civilian agencies' primary OMB M-22-09 deadline was the end of FY2024 (September 30, 2024), and most of the 24 CFO Act agencies reported being in the high-90-percent range on core requirements by then. DoD's target-level deadline is the end of FY2027 (September 30, 2027), with advanced-level requirements due by FY2032. Claims of a CISA binding operational directive requiring zero trust with identity-aware-proxy-only access by December 2026 do not match CISA's actual published directives — the current ones, BOD 26-02 and BOD 26-04, are unrelated to zero trust specifically — and should be treated skeptically.
Does zero trust mean agencies are ripping out VPNs entirely?
Largely yes for new deployments, though legacy VPN is not disappearing overnight. Gartner projected that by 2025 at least 70 percent of new remote-access deployments would use ZTNA instead of VPN, up from under 10 percent in 2021. CISA's June 2026 guidance formalizes this for civilian agencies by directing them to replace legacy TIC 2.0/MTIPS perimeter connections with cloud-delivered SASE, which bundles ZTNA-style identity-aware access alongside networking and security.
What specific technologies are agencies actually procuring under zero trust budgets right now?
Based on current program activity: identity modernization (phishing-resistant MFA on PIV/CAC and FIDO), SASE and SD-WAN platforms (DISA's Thunderdome uses Palo Alto Networks Prisma Access and Versa Networks), and FedRAMP-authorized microsegmentation (Illumio Government Cloud, authorized September 2024; ColorTokens Xshield, authorized January 2026). Network access control and identity-aware proxies for internal application access are also active categories as agencies retire flat, perimeter-trust network designs. Uniqcli can help scope and source these across the pillars — start at /get-a-quote or browse the catalog at /catalog/browse.

