Defining Protect Surfaces in Federal Zero Trust Implementation

Defining Protect Surfaces in Federal Zero Trust Implementation

By Don Yeske | National Defense University, College of Information and Cyberspace | Final Version: March 27, 2026

This paper was written as a Master's level thesis by Don Yeske, Virtru's Senior Solutions Architect & Enablement Lead, as a graded academic paper for the National Defense University's College of Information and Cyberspace, finalized in March 2026. The views expressed are solely those of the author and do not represent official positions of NDU, the Department of Defense, or the U.S. Government. The paper was reviewed and strengthened by multiple colleagues, academic advisors, and faculty at National Defense University, whose critical analysis the author credits as invaluable.

Drawing on firsthand experience leading zero trust architecture efforts at both the Department of the Navy and the Department of Homeland Security, Yeske identifies a critical gap in federal zero trust implementation: the near-total absence of the protect surface concept from key directives and guidance. By directing agencies to implement zero trust across entire enterprise environments at once, federal directives have effectively asked agencies to protect everything, and as a result, protected nothing with meaningful depth or measurable success.

The paper examines foundational federal zero trust references, reviews publicly reported implementation results, and proposes a targeted strategic adjustment: adoption of a shared, government-wide definition of the protect surface, enabling agencies to sequence and prioritize zero trust implementation one protect surface at a time.

For federal cybersecurity practitioners, architects, and policy professionals, this paper offers a grounded, experience-informed critique of the current state of zero trust implementation and a concrete path forward.

A note on authorship and context: Don Yeske brings direct, practitioner-level experience to this analysis. He led zero trust architecture efforts for the Department of the Navy (2021-2023) and the Department of Homeland Security (2023-2025), contributing to the federal zero trust knowledge base whose shortcomings he examines here. Today, as Senior Solutions Architect & Enablement Lead at Virtru, he works with federal agencies to address the hardest parts of zero trust, particularly the data pillar, through data-centric security architecture. The ideas in this paper reflect themes central to Virtru's mission: that protecting the data itself, not just the perimeter around it, is what zero trust ultimately demands.