Defense Security Chief Teases 5-Year Zero Trust Strategy
Key tools within the strategy include software bills of materials and data analytics.

The Pentagon will soon release a comprehensive strategy on zero trust that defines capabilities for the security framework to be implemented over the next five years, the Pentagon’s security chief said.
“We’re taking an aggressive stance. Our funding is in alignment with this — that we want to be at targeted zero trust for the department by the end of fiscal year 2027,” said Defense Department Deputy CIO for Cybersecurity David McKeown at the Billington Cybersecurity Summit in Washington, DC, Wednesday. “It is very comprehensive. It’s our north star.”
As part of the strategy coordinated with the newly pointed head of DOD’s Zero Trust Portfolio Management Office head Randy Resnick, McKeown highlighted that 90 capabilities are going to define what he called “targeted zero trust.” An additional 62 capabilities will define more “advanced zero trust” for applicability on critical national security systems.
Three methods, he added, will guide successful implementation: uplifting the current environment, implementing zero trust cloud on premises and partnering with cloud providers to examine current FedRAMP offerings.
Key tools to this effort — and also key for partnerships — will include creating software bills of materials (SBOMs) and acquiring tools to ingest that data.
“This is an area we definitely need help to reform,” McKeown said. “Both SolarWinds and Log4j are examples of software that we willingly accepted into our environment. The Log4j problem was even more difficult because we had this reliance on all software vendors. … We didn’t have a way of quickly enumerating which software had it and patch it and remove it from the network.”
“The Log4j vulnerability was a feature, not a bug,” Federal CISO Chris DeRusha said.
As agencies develop their zero trust strategies as with DOD, DeRusha said key tools in this process will complement other strategies around the customer experience and the workforce.
“We have to get better at customer experience and user experience when rolling out security solutions,” DeRusha said. “[SBOMs] are an enabling tool — not a silver bullet. … They can help get the information folks need to do better vulnerability management.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Boosting Cyber Resiliency in the Financial Sector
Leaders from CFPB and Rubrik discuss how they’re bolstering cyber resiliency to secure the financial sector and its critical assets.
32m watch -
VA Secretary Doug Collins Promises Veteran-Centered Reform
The new VA Secretary Doug Collins targets user experience, veteran choice and modernization to advance bipartisan efforts like the PACT Act.
4m read -
AFCEA West: Modernizing Communications Can Boost Navy's Cost Efficiency
Updating or replacing legacy voice and data systems can save military services money while modernizing operations.
15m watch Partner Content -
Tracking CIOs in Trump's Second Term
Stay informed on the latest shifts in federal technology leadership as new CIOs are appointed and President Trump's second term takes shape.
6m read