With two years until its 2027 zero trust deadline, the Pentagon is revving up its cybersecurity efforts, with plans for a new strategy, detailed guidance, and the review of dozens of “granular” action plans for defense organizations.
“We’re 24 months away from our deadline of the end of fiscal ‘27 to hit target level ZT,” which is a baseline ability to secure the Defense Department’s data, applications, assets, and services, Randy Resnick, who leads the Pentagon’s zero trust efforts, said Wednesday at the Billington Cybersecurity Summit.
Zero trust is a cybersecurity concept that assumes hackers are already inside networks, so the focus is on continuously verifying all users and devices that connect to the network.
The Pentagon formally created the zero trust portfolio management office in July to lead implementation and define the mission, roles, and authorities to update the Defense Department’s cybersecurity infrastructure to defend against modern threats. That office, which Resnick leads, is reviewing “granular information from the components on exactly what their plan is,” including details like what they’re going to buy, at what level, how it will be installed, and expected number of users. Annual plans are expected by November.
“We’re fully expecting [components’ plans] to be poised, because it’s now first quarter fiscal ‘26. We’ve been saying to the components: time to buy,” Resnick said. “They’re going to need every bit of those 24 months, or whatever the number of months is remaining, to move into a target level environment,” which includes waiting on supply chains to deliver, building infrastructure, developing policy, and migrating users and data.
The Pentagon expects to release new cybersecurity guidance for operational technology, such as industrial control systems, as well as a new zero-trust strategy document, both by January.
“We’ll come out with a new zero trust strategy. We’re calling it version 2.0. That’ll be essentially a global update, because it’s been many years since ‘22. We’ve learned a lot for zero trust for IT, we’ll include zero trust for OT and just bring everything modernized and up to date and make it more more focused,” Resnick said.
“We’re in a good place. We’re focused almost entirely on the implementation, the procurement of zero trust for IT, and you’re going to see communications coming out of the DOD in the near future that is going to cement that message.”
Read the full article here