Pentagon Advances Zero Trust Cybersecurity Strategy
The U.S. Department of Defense (DoD) is poised to unveil an updated iteration of its zero-trust cybersecurity strategy, aimed at broadening its applicability beyond traditional information technology (IT) systems. This strategic enhancement, referred to as Zero Trust Strategy 2.0, is anticipated to be publicly released by March 2026, according to Randy Resnick, Senior Advisor at the Pentagon’s Zero Trust Portfolio Management Office.
Evolution of Cybersecurity Protocols
The forthcoming document seeks to further develop the DoD’s initial zero-trust strategy, which was launched in 2022. This foundational approach mandated all components within the DoD to commence the adoption of enhanced cybersecurity measures. Central to the zero-trust philosophy is the assumption that adversaries may already infiltrate networks; thus, the Pentagon is moving towards an infrastructure that requires continuous validation of both users and devices as they navigate its digital landscape.
Expanded Focus on Critical Infrastructure
While previous efforts have predominantly centered on securing IT systems, Resnick emphasized that the next phase will notably incorporate operational technology (OT), Internet of Things (IoT), critical defense infrastructure, and weapon systems. This initiative marks a significant shift in recognizing that robust cybersecurity measures are essential across all operational domains.
Resnick elaborated on the strategy’s essence, stating:
“In version 2.0, we will thoroughly articulate approaches to safeguard these diverse frameworks.”
Implementation Framework
To ensure a systematic rollout of the zero-trust principles, the Pentagon will continue to structure implementation into two distinct tiers: target levels and advanced levels.
- Target Levels: These outline the basic cybersecurity capabilities that must be met.
- Advanced Levels: These represent more sophisticated security measures tailored to specific technologies.
For IT systems, the DoD has outlined 91 requisite cybersecurity capability outcomes to achieve target levels by the conclusion of fiscal year 2027. Additionally, there are 61 advanced-level outcomes to be met by fiscal 2032.
The inaugural guidance focused on OT was released in November 2025, detailing 84 target-level outcomes and 21 advanced outcomes tailored specifically to the unique cybersecurity needs of operational technologies. The distinctions between IT and OT are critical; Resnick noted:
“Operational technology differs fundamentally. For instance, sensors managing utilities cannot simply be disabled without significant consequences. A denial-of-service attack against OT equates to a self-inflicted disruption.”
Timeline for Implementation
The deadlines for achieving target and advanced levels of zero trust in operational technology are set for the end of fiscal years 2030 and 2033, respectively. These timelines are subject to revision as the strategy evolves. Plans for integrating zero trust into critical defense infrastructure and weapon systems are also in development.
Accelerated Accountability and Support
The DoD remains optimistic that its progress in zero trust for IT frameworks will hasten similar advancements across other domains. With a dedicated community of practitioners and vendors aligned with this mission, there is notable momentum to progress more rapidly.
Resnick emphasized the urgency, stating:
“Congress and stakeholders across the board are urging us to accelerate. These deadlines serve as definitive milestones, and we will hold the supporting entities within the DoD accountable to ensure adequate funding and assistance for this initiative.”
Conclusion
As the Pentagon prepares to release its updated zero-trust strategy, it signals a robust commitment to enhancing cybersecurity across various critical infrastructures. By adopting a holistic approach, the DoD aims not only to fortify its networks against emerging threats but also to create a more resilient defense posture capable of adapting to an evolving security landscape.
This proactive strategy underscores the significance of integrating advanced cybersecurity frameworks that resonate across operational technology domains, ensuring the integrity and security of the nation’s defense systems in the face of evolving cyber threats.
