Governance & Threat Administration
,
Authorities
,
Business Particular
Analysts Warn Compliance Objectives Could Outpace Actual Safety Outcomes
The U.S. Division of Protection’s push to overtake its zero belief structure is going through mounting stress from different priorities together with integrating synthetic intelligence, cloud platforms and linked operational techniques throughout the battlefield – elevating questions on whether or not the Pentagon will meet its bold September 2027 deadline to safe its techniques towards attackers.
See Additionally: Construct a Zero Belief Roadmap for FinServ
The convergence of rising know-how and the battlefield is forcing a broader shift in how the Pentagon approaches safety, analysts informed ISMG. The division first launched its zero belief technique and street map in 2022, pledging to maneuver from perimeter-based defenses to a zero belief mannequin through which belief is constantly evaluated throughout customers, units and information in actual time. Latest congressional testimony from Pentagon Chief Info Officer Kirsten Davies detailed a sweeping effort to modernize the division’s know-how ecosystem and cybersecurity program, with an emphasis on operational resilience, information integration and quicker decision-making throughout navy environments.
Davies informed lawmakers the division is pursuing a extra unified and risk-based method to cybersecurity, designed to exchange static compliance fashions with steady monitoring and adaptive protection mechanisms. The shift comes because the Pentagon works to safe what consultants describe as a sprawling and extremely fragmented surroundings that features legacy IT techniques, fashionable cloud infrastructure and operational know-how tied on to mission techniques.
“We’re embarking on a daring transformation,” Davies stated, noting that the Pentagon was “bringing again to the middle all of enterprise IT and the cybersecurity program” to assist get rid of duplicative spending, scale back technical debt, speed up modernization and unleash innovation “from the core to the sting throughout our joint forces.”
On the heart of the trouble is a renewed push to operationalize zero belief ideas throughout the Division of Protection surroundings, requiring structural modifications in governance, structure and execution throughout navy providers, combatant instructions and protection companies. Earlier reviews have stated that the Protection Division has struggled to handle persistent cybersecurity weaknesses, together with gaps in asset visibility, system authorization and danger administration processes (see: DOD Failing to Repair Crucial Cybersecurity Gaps, Report Says).
These challenges are additionally compounded by the size of the division’s digital ecosystem and the rising reliance on interconnected techniques – together with these operated by contractors and companions throughout the protection industrial base. Latest coverage modifications replicate an effort to handle the broader assault floor, with new cybersecurity necessities for protection contractors meant to strengthen baseline protections throughout the availability chain (see: Pentagon Points Lengthy-Awaited Contractor Cybersecurity Rule).
Congress has additionally elevated funding for navy cybersecurity applications, with the fiscal 2026 protection authorization invoice allocating roughly $15 billion towards cyber initiatives tied to modernization and 0 belief implementation (see: US Navy Cyber Finances Jumps to $15B in 2026 NDAA).
However even with that funding, officers and analysts say the division faces deeper structural challenges that may’t be solved by funding alone – notably round fragmented governance and uneven implementation throughout parts.
Timothy Amerson, a veteran federal CISO with over 30 years of cybersecurity expertise throughout the Pentagon and civilian department companies, stated the division’s 2027 zero belief deadline is achievable – however could obscure the distinction between compliance and actual safety outcomes.
“The 2027 deadline is achievable in title, however provided that we’re trustworthy about what goal stage really means,” Amerson informed ISMG. “As of early 2025, solely 14% of target-level zero belief actions had been accomplished throughout DoD’s 58 parts.”
Amerson, who presently serves as federal CISO for GuidePoint Safety, stated the extra important danger is how success will probably be measured because the deadline approaches.
“What considerations me is whether or not these bins characterize real danger discount or compliance theater,” he stated, pointing to persistent gaps in id, information and legacy infrastructure as key friction factors, notably because the division works to implement federated id techniques and constant information classification throughout its surroundings. “Federated id solely protects you when each node is enrolled, and DoD will not be there but,” he stated.
With out constant information tagging, analysts additionally famous that zero belief architectures lack the context wanted to implement coverage successfully.
James Winebrenner, CEO of Elisity, stated the complexity of the protection surroundings makes attaining a mature zero belief posture basically completely different from business enterprise deployments.
“The 2027 goal is bold, and the ambition is precisely proper,” Winebrenner informed ISMG. “However while you’re speaking about securing tens of millions of endpoints throughout air-gapped networks, legacy OT infrastructure, coalition environments and edge deployments spanning each area, warfare ‘mature’ means one thing categorically completely different from what it means in a business enterprise.”
Winebrenner pointed to early successes such because the Navy’s Flank Velocity program and DISA’s Thunderdome initiative as proof that zero belief could be applied successfully inside outlined environments. However scaling these fashions throughout the complete division presents a considerably higher problem, notably provided that solely a small portion of zero belief actions had been accomplished as of early 2025.
Winebrenner additionally informed ISMG that probably the most persistent gaps is the disconnect between id techniques and network-level enforcement. That hole is very pronounced in operational know-how environments, analysts famous, the place legacy techniques and prolonged modernization timelines complicate enforcement and prolong danger publicity past the 2027 deadline.
Davies informed lawmakers the division is working to centralize oversight of enterprise IT and cybersecurity capabilities below the CIO, streamline necessities and standardize approaches throughout the enterprise as a part of its broader transformation technique.
The hassle additionally contains nearer integration between cybersecurity operations and mission techniques, in addition to initiatives to enhance interoperability with allies and companions by shared environments designed for safe information trade.
The division can be increasing its cyber workforce authorities and coaching applications to handle persistent expertise shortages and help the transition to extra superior safety fashions, in response to Davies.
The Division of Protection didn’t reply to a request for remark.
