This is clearly a “hot” topic and one for which you have received a lot of good feedback already.
In any enterprise-wide IT effort such as a security policy, governance mechanism or organizational structure, to name a few, I have found that there are almost always two options; the ideal one and the one that will actually work in practice. They may not be the same.
In an ideal world a single policy that would require one set of training materials, one set of criteria to audit against and the proverbial “one throat to choke” when something goes wrong may be ideal but it appears from some of your comments, may not be workable in practice. In these situations a single policy would have to incorporate the unique needs of each unit and would thus impose needless and costly requirements on some agencies in order to meet the needs of others.
Perhaps the best approach in this case is a federated model. It is a bit like the US government. We have a constitution, which is the “law of the land”, but individual states can enact laws that support their unique needs provided they do not conflict with the constitution. We have a judicial branch of government to oversee that aspect.
In your case, I would suggest that you identify those aspects of policy that cannot be compromised and these become your “constitution.” This is an overarching set of rules that everyone must adhere to. Then allow individual agencies to supplement this with rules and policies that may be specific to their mission provided they do not conflict with the overarching policy. You will need some form of “Judiciary” to sort out differences and that may fall to the Department’s CISO’s office.
Implementing something like this will require not only knowledge of security best practices and regulations but good political and salesmanship skills because a lot of people will be affected. Good luck!