Inside the Pentagon’s 2025 Cyber, Tech, Acquisition Reforms

The Pentagon overhauled its approach to technology, acquisition and even its department name following inauguration day nearly one year ago. Throughout 2025, he War Department has shifted toward continuous verification, operational velocity and unprecedented autonomy, while creating new approaches to risk management and cybersecurity.

“This urgent moment, of course, requires more troops, more munitions, more drones, more patriots, more submarines, more B-21 bombers,” War Secretary Pete Hegseth said in an Oct. 2025 speech to more than 800 of the nation’s top military leaders in Quantico, Virginia. “It requires more innovation, more AI in everything and ahead of the curve.”

Zero Trust: Never Trust, Always Verify

The principle of zero trust has moved from a theoretical concept to an actionable imperative across the DOW and the federal government, according to DOW officials. With a federal mandate to apply zero-trust architectures in place by fiscal 2027, the DOW made strides throughout services and national security entities in implementing zero trust.

“We’ve been able to show how you do [zero-trust implementation] … So now it’s, how do we build on that?” Department of the Navy Deputy CIO Barry Tanner said in Feb. 2025 at AFCEA West in San Diego, California. “We have a mandate to meet the basic zero trust requirements by 2027. That is really fast, that’s really hard, … [but] the assessments that were done last year will help inform all of the networks and programs that have work to do on that.”

The national security ecosystem requires zero-trust architectures because of the environment’s decentralized nature and the increasing sophistication of attacks makes cybersecurity increasingly complex, former Principal Director for Cybersecurity Gurpreet Bhatia said during GovCIO Media & Research’s March 2025 Defense IT Summit in Arlington, Virginia.

“The [department’s] definition of zero trust is trying to stop the adversary. We want to minimize the adversary’s ability to move through the network and have freedom of movement and exploit [DOW] data,” Zero Trust Portfolio Management Office Director Randy Resnick said during the May AFCEA TechNet’s event. “That means they can’t move laterally, they can’t break out of a micro segment, they can increase privilege escalation.”

Defense Information Systems Agency’s (DISA) zero-trust Thunderdome architecture passed 152 zero-trust exercises during testing in April 2025. Thunderdome, developed from an initial concept to a working reality with industry partners, has proven successful two years ahead of the Pentagon’s 2027 deadline for zero-trust implementation.

“We went from a concept on a whiteboard, quite literally, to articulating that concept, that vision, to this kind of a forum right to then partnering with a number of industry partners in the room here,” DISA Deputy Director Christopher Barnhurst said during TechNet’s opening keynote. “Dozens of products that are integrated into that design, and that is now real, and it’s real two years ahead of when the [DOW] CIO said it has to be real for the department.”

CMMC 2.0: The Rule of Law for the Defense Industrial Base

Six years in the making, the Pentagon published the final CMMC rule this year, establishing CMMC 2.0 into federal law and cementing its plans to enforce new cybersecurity requirements across the defense supply chain.

The War Department began enforcing the framework on Nov. 10, 2025, marking the start of a three-year rollout aimed at strengthening cybersecurity across the defense supply chain. The rule officially mandates that all DOW solicitations and contracts include CMMC 2.0 requirements for contractors and subcontractors that process, store or transmit Federal Contract Information or Controlled Unclassified Information.

Katie Arrington, performing the duties of the DOW CIO and one of the original architects of CMMC, framed the shift as a necessary cultural transformation for the entire defense community, telling GovCIO Media & Research in May 2025 that the “department is committed” to CMMC.

“It’s a complete cultural shift. I want you to adapt the culture of zero trust. I want you to adapt the culture of cybersecurity,” she said at the UiPath Public Sector Summit in April.

Risk Management: From Paperwork to Continuous, Automated Risk Management

The War Department announced the implementation of a sweeping Cybersecurity Risk Management Construct (CSRMC) in Sept. 2025, a new framework designed to replace the outdated, checklist-driven Risk Management Framework (RMF) with a system capable of delivering real-time cyber defense. Arrington told GovCIO Media & Research in May 2025 that risk management should be “a living, breathing culture.”

“Is it worth having 18 people sign off [on a project] and saying that ‘I’ve tested it and it’s good.’ Are we? Is the return on investment valuable in that?” Arrington said. “I say no. I say my money is much better spent in using tools and capabilities to ensure that the life cycle is appropriate and that the culture is appropriate, and that we’re continuously monitoring, continuously updating or continuously remediating.”

The CSRMC fundamentally changes the department’s approach, moving away from “snapshot-in-time” assessments that failed to keep pace with modern threats. The new construct is built on a five-phase lifecycle that embeds security at the outset and mandates continuous, automated monitoring.

“This construct represents a cultural shift in how the Department approaches cybersecurity,” said Arrington. “With automation, continuous monitoring and resilience at its core, the CSRMC empowers the DOW to defend against today’s adversaries while preparing for tomorrow’s challenges.”

Overhauling Software Acquisition

The Pentagon also established the Software Fast Track (SWFT) in May 2025 to streamline certification processes and bring commercial and mission-ready software into production faster. George Lamb, director of DOD Information Networks Capabilities, explained that SWFT is designed to integrate commercial off-the-shelf (COTS) software into the DevSecOps pipeline.

“Commercial technology is just software. How do we get that commercial software into our pipeline? SWFT is a process for going to look at the authorization process,” Lamb said at the 2025 Carahsoft DevSecOps Conference.

He added that the program builds on lessons from Platform One’s Iron Bank repository, which scans and evaluates software containers for risk rather than relying on a simple pass/fail model.

“We put insecure software in production all the time … Iron Bank scans it. We don’t stop it. We just put caveats around it,” Lamb said.

Arrington underscored SWFT’s role in enabling the department’s software acquisition pathway.

“The SWFT is to make more software available for the secretary’s software acquisition pathway, and blowing up the RMF will make the use of the SWFT and the software acquisition pathway more adaptable, so that we can be more lethal, more efficient and provide readiness to the warfighter,” Arrington told GovCIO Media & Research.

Budgetary pressures are also driving SWFT’s adoption.

“We’re kind of in a heavy rationalization phase right now and exploring all of the ideas that we can to do things better and faster,” David McKeown, DOW’s deputy CIO for cybersecurity, at the Potomac Officers Club Cyber Summit in May 2025.

Pentagon Unveils Overhaul of Tech Acquisition to Speed Delivery

Hegseth announced sweeping reforms to accelerate how the department buys and fields technology in Nov. 2025, replacing decades-old processes with what leaders call a “wartime footing” for acquisition.

“The Defense Acquisition System, as you know it, is dead. It’s now the warfighting acquisitions system,” said Hegseth.

The reforms include canceling the Joint Capabilities Integration Development System (JCIDS), a requirements process criticized for taking nearly a year to approve a single document.

“JCIDS was focused on paperwork, not mission. It became a years-long bureaucratic anchor,” Hegeth said.

In its place, new forums will tie funding directly to top warfighting priorities and encourage experimentation and rapid prototyping.

Industry partners will be asked to deliver “85 percent solutions” quickly, with the Pentagon iterating improvements over time.

“An 85% solution in the hands of our armed forces today is infinitely better than an unachievable 100% solution endlessly undergoing testing,” Hegseth said.

The overhaul aims to stabilize demand signals, expand competition and rebuild the defense industrial base into what leaders described as a “new arsenal of freedom” capable of surging production at speed.

“[DOW] will only do business with industry partners that share our priority of speed and volume above all else and who are willing to surge American manufacturing at the speed of ingenuity to deliver rapidly and reliably for our warfighters,” Hegseth said.