Pentagon Eyes Next Step in Zero Trust Implementation
The Defense Department is on a path to achieve a target level zero trust by 2027, but the implementation process will be arduous and highly complex.

The Defense Department (DOD) plans to publicly release the zero trust overlay for the National Institute of Standards and Technology (NIST) 800-53 by summer, which will complete the full set of documentation DOD is required to provide to help the enterprise implement zero trust architecture.
DOD already released its zero trust strategy and reference architecture to guide the military departments and Fourth Estate working towards 2027 zero trust target levels.
“Target level for us means being able to stop the adversary. There’s a lot of science that goes behind how we define our activity level and our capability level,” Randy Resnick, DOD Zero Trust Portfolio Management Office director, said at AFCEA International’s TechNet Cyber 2023 conference in Baltimore this week. “A lot of it has to do with a lot of other information not found on classified networks that made us develop the definition the way we did.”
DOD CIO John Sherman said department-wide zero trust implementation is currently one of his highest priorities. He identified three approaches the services are able to choose from to go after implementing the zero-trust framework.
“We’ve also laid out our strategy, kind of a pick-your-own adventure. Folks may remember those books are a little like ‘Do you slay the dragon? Or do you go into the cave,'” Sherman told GovCIO Media & Research in an exclusive on-site podcast interview at TechNet Cyber 2023.
One is the Brownfield approach, where the military services can build capabilities over their existing infrastructure. Or, they can leverage the Joint Warfighting Cloud Capability (JWCC) contract and rely on commercial zero trust solutions offered by the JWCC awardees: Amazon Web Services (AWS), Google, Microsoft, and Oracle. The third route is through private cloud adoption.
Ensuring successful implementation of the zero trust framework does not just require an IT fix but also policies, training and doctrine.
Resnick’s office is on its way to delivering three zero trust courses within DOD. The basic zero trust awareness course is already available for military service members and civilian employees, but DOD is “seriously” considering mandating the course.
The other two courses, meant to train senior leaders, practitioners and implementers, will be released by July.
“You have to remember that people that are going to be installing zero trust need to understand what they’re working with, need to write policies and rules to do it correctly. That requires training,” Resnick said.
Resnick said the journey will be long and arduous, and DOD will work component by component to implement the architecture and meet the deadlines outlined in the zero trust strategy. While funding is essential in this effort, successful implementation also means staying on schedule and ensuring interoperability between cybersecurity services and solutions for an effective zero trust model.
“We really want to see multiple vendor integrations. Not one vendor is going to solve this problem. We want to see interoperability, we also want to see API security. And lastly…applications…they need to be written to be aware of their ZTE (zero trust edge) surroundings going forward. It needs to be aware of ICAM systems, it needs to be able to take some ins and outs of rules and policies. This is what I’m talking about being ZTE-aware,” Resnick said.
Scaling zero trust will require automation.
“The act of defenses will get stronger because we’re going to log everything. We’re going to have analytics over those logs, we’re going to do automation of responses versus a human in the loop. So that piece of it is big,” said David McKeown, acting principal deputy CIO and CISO at DOD.
Lt. Gen. Maria Barrett, commanding general of U.S. Army Cyber Command, emphasized the importance of automation in the cybersecurity process so as to continuously verify and identify for unusual or suspicious activity.
“We fly planes on autopilot, we land them on autopilot. This is not scary to run a network in an automated way,” Barrett said.
Sherman said the zero trust approach might have prevented the recent leak of classified documents containing sensitive information about the ongoing Russia-Ukraine war.
“As you look at those seven pillars of zero trust, you have pillar number seven: visibility and analytics, other pillars automation and orchestration… Bringing all this together to prevent somebody, whether it’s external or internal, from moving laterally across the network, getting to data, not the system, but the data they’re not supposed to have access to, that’s what zero trust is really about,” Sherman said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DOD Can No Longer Assume Superiority in Digital Warfare, Officials Warn
The DOD must make concerted efforts to address cyber vulnerabilities to maintain the tactical edge, military leaders said at HammerCon 2025.
4m read -
Marine Corps Operation StormBreaker Slashes Software Delivery Timelines by 17x
New program aims to deliver critical digital capabilities to warfighters at the "speed of relevance" by overhauling traditional processes.
4m read -
Modernization Strategies to Enable Energy Innovation
Lawrence Berkeley National Lab and Maximus experts explore the modernization strategies driving digital transformation and operational resilience within the energy sector.
33m watch -
DOE National Labs Launch New AI Tools for Operational Efficiency
The Energy Department's National Laboratories are using AI to increase operational efficiency and drive research efforts forward.
3m read -
Software Factories Accelerate Federal Modernization Outcomes
IT leaders from Nutanix and SAIC explain how software factories streamline tech development, modernize legacy systems and accelerate adoption of emerging technologies like AI.
34m watch -
AI in Top-Secret Clouds Is a ‘Game Changer’ for IC, DNI Says
Tulsi Gabbard touts significant improvements in AI, data analysis, interoperability and operational intelligence at the AWS Summit 2025.
3m read -
AWS Summit: Forging Successful Cloud Modernization Partnerships
Industry leaders share insights on the critical role industry partnerships have in enabling government agencies to navigate procurement challenges for cloud and zero trust solutions.
24m watch Partner Content -
CISA's CVE Program and Why it Matters for Zero Trust
The vulnerability program provides the cybersecurity community visibility into software as part of a key pillar of CISA's zero trust model.
5m read -
Air Force, Coast Guard Talk Data Security Efforts for AI Development
The services' AI initiatives include efforts like creating clean training data, countering data poisoning and bridging siloed teams.
4m read -
Agencies Use AI to Boost Efficiency, Cybersecurity Under White House Mandates
DLA and GAO are investigating how AI can boost efficiency and bolster cybersecurity as agencies align with the president's tech directives.
3m read -
DOD Cyber Strategy to Adapt to New Budgets, Tech Innovation
Budgetary pressures spur innovation as department tackles aging infrastructure and evolving threats, says top cyber official.
4m read -
Federal Agencies Tout Tech in President Trump’s First 100 Days
Defense modernization and health care restructuring landed among some of the key IT highlights within the president's first few months.
6m read