War Department Advances Zero Trust to Meet 2027 Deadline

War Department officials are strengthening internal expertise around zero trust to continuously secure systems, accelerate innovation and improve cross-department collaboration as they work to meet the federal mandate to implement zero trust architectures by fiscal year 2027.

Shery Thomas, enterprise IT officer at the Navy Installations Command, said clearly demonstrating security solutions and best practices to end users — without adding complexity — can help strengthen a team’s zero trust culture.

“We need to be able to talk in the same language and say, ‘this is what we’re providing. we didn’t make it any more difficult for you,’” said Thomas at GovCIO Media & Research’s Defense IT Summit Thursday in Arlington, Virginia.

Strengthening Zero Trust Culture

Defense Healthcare Management Systems Chief of Cybersecurity for the Program Executive Office Chris Wallace said that while the department has pushed for a more cyber-resilient workforce, he wants more personnel to understand the seven pillars of zero trust.

“You can’t forget the basic fundamentals, the cyber hygiene pieces, because that is really where you can start to really crack open the mystery of zero trust,” said Wallace. “[Zero trust] becomes a buzzword, but if you really look at it for that integration it becomes a more dynamic, automated and faster way to operate.”

Marine Corps Community Services Chief Digital Business Officer Dave Raley said zero trust principles have helped the department and MCCS reorient their focus toward mission outcomes rather than compliance. Too often, he said, teams sacrifice mission outcomes because they view compliance as the end goal rather than a byproduct of cybersecurity.

“In the case of software, the goal is mission outcome with secure resilience. I think rebalancing and harmonizing that, and helping teams understand that security is not a is not a barrier to a mission outcome … should be complimentary,” said Raley.

He added that zero trust has helped speed software acquisition and deployment timelines from months to minutes. In the past, engineers often waited 12 to 18 months for security teams to determine whether their code met security and compliance standards.

“That engineer now is empowered to understand what they’re doing from a security perspective, and the mission outcome is that you’re giving continuous authorization for your container in 15 minutes,” said Raley.

Resiliency Is Not the Same as Security

Zero trust also enables teams to operate more securely by assuming systems are already compromised. Cohesity Public Sector CTO and CISO Marlin McFate said cyber resiliency adds critical visibility when securing both primary and secondary systems.

He said many teams focus heavily on primary systems while neglecting secondary systems, which can undermine how safely and quickly they recover from a cyber incident.

“I think most people that I talk to think, ‘if I’m doing cyber security correctly, that I’m kind of achieving cyber resiliency.’ And that is not the case,” said McFate. “We need to stop throwing the word resiliency around and come to a well-defined definition of cyber resiliency.”

Resiliency becomes increasingly important as teams integrate information and operational technology (IT/OT) along with Internet of Things (IoT) devices. Wallace said organizations need visibility across their full environments and a clear understanding of device lifecycle management.

“The fact that you can survive an incident doesn’t mean you’re resilient. It doesn’t mean that your secondary systems are resilient enough to fend off secondary activities,” said Wallace. “Back-end systems are still a vector for attacks and we have to understand that risk is an opportunity. It’s an opportunity for us to dig deeper and find where we can apply true resiliency from end to end.”