DOD Cyber Strategy to Adapt to New Budgets, Tech Innovation

The Defense Department is entering a significant phase of rationalization and innovation in its cybersecurity strategy, driven by budgetary constraints and an evolving threat landscape, officials said this week at the Potomac Officers Club 2025 Cyber Summit in Falls Church, Viginia.

“We’re kind of in a heavy rationalization phase right now and exploring all of the ideas that we can to do things better and faster,” said David McKeown, deputy CIO for cybersecurity and senior information security officer at DOD. “It’s not just traditional IT networks, it’s weapon systems, it’s critical infrastructure. And it’s working with the defense industrial base on their cybersecurity as they do work with us.”

McKeown outlined initiatives aimed at bolstering the department’s defenses, streamlining processes and fostering stronger partnerships with industry. Quoting Winston Churchill, “All right, everybody, we’re out of money. Now we have to start thinking,” he said, adding that DOD needs to innovate its cybersecurity positioning under budgetary constraints.

“We’re kind of in the thinking phase of reinventing how we do a lot of things. In the department, we’ve been allowed to grow work on processes, some of them bureaucratic, some of them not,” said McKeown. “Some of them needed. Some of them not.”

Encryption as a Top Priority

McKeown said encryption is the new number one priority. The aging cryptographic infrastructure currently in place across various DOD platforms is increasingly vulnerable to advanced adversaries and the looming threat of quantum computing.

“For many years, we relied on [cryptography] on all of our different platforms,” said McKeown. “It’s getting old. The algorithms are getting old. The architectures are getting old. Our adversaries are getting more advanced. The advent of quantum is making progress, and we’ve got to be worried about that as we go forward.”

McKeown said that a key element of cryptographic modernization involves addressing the vulnerabilities associated with Public Key Infrastructure (PKI) in a post-quantum world. He noted that DOD hired Dr. Britta Hale to lead a centralized and orchestrated effort to identify and replace PKI algorithms across DOD’s software landscape with quantum-resistant cryptography.

“As we look at quantum and that problem set, we have to rationalize all of our software and find out where PKI is used and go in there and change the algorithm,” said McKeown.

DOD’s Risk Management Strategy

McKeown said that DOD is working to fix the risk management framework (RMF) at the department. The older RMF process, a compliance-driven model, is increasingly viewed as inadequate for real-time cybersecurity needs, as DOD’s Katie Arrington told GovCIO Media & Research earlier this month. McKeown said that DOD is working together to automate RMF functions, eliminating human error, expediting assessments and reducing costs.

The department is exploring automation tools, continuous monitoring, enterprise inheritance of controls and cloud service provider integrations within the RMF structure, McKeown said. The goal, he added, is to streamline the RMF to include security controls, reduce redundant paperwork and establish clearer communication channels between system owners, cybersecurity service providers and authorizing officials.

“What we found, though, is RMF is a compliance drill,” said McKeown. “It is not achieving cybersecurity the way we want it.”

Bolstering Zero Trust

DOD is committed to zero trust adoption throughout the department with the 2027 goal as a mile marker. Progress includes near-complete certification of Navy’s Flank Speed, Defense Information Systems Agency’s Thunderdome environments, McKeown said.

“By 2027, we’ll have built a series of minefields throughout the Department of Defense that the adversary, if they wander into one environment that is zero trust, chances are that we’ll catch them and be able to use that intelligence to inform others [of the threat],” said McKeown.

Software Fast Track

McKeown said the recently-announced DOD Software Fast Track (SWFT) program seeks to define strict industry criteria — such as software bill of materials and secure development frameworks — and streamline certification processes, accelerating the deployment of secure, mission-ready software. In a tighter budget environment, he said, DOD’s software deployment and acquisition programs need to become more cost-effective and useful.

“I don’t think we’ve done software security or supply chain risk management on software very well to date,” McKeown added. “The idea here is define criteria that we tell industry that they need to meet.”

Weapons Systems Cybersecurity Controls

Addressing concerns about potential budget cuts, McKeown called on the military services to take on a greater role in weapon system cybersecurity analysis. With more than 200 key weapon systems, McKeown said that DOD intends to empower service branches to conduct risk assessments, enabling faster and more effective defensive measures.

The DOD will also focus on developing better assessments for combat commands to better understand the mission impacts of cyber risks identified in their systems, he said.

“We’re also working on scorecards for the combat commands they need to know the risks that they’re incurring across all of those systems,” said McKeown. “We do an analysis of a weapon system, and we publish it, but I don’t think the combat commands really understand the impacts of their mission.”

AI and the Future of Cybersecurity

The DOD is also actively exploring the secure integration of artificial intelligence for both offensive and defensive cyber operations, McKeown said. The department needs to keep its data within its boundaries for security, while empowering the DOD workforce to use AI in their everyday work.

“We’ve got to train a workforce that is capable of doing all the things that you need to do in AI, defense, offense, just normal, optimizing your work so that you can do it better in leveraging AI,” said McKeown. “We’re not sticking our head in the sand. We’re embracing it.”