Governance & Danger Administration
,
Authorities
,
Trade Particular
Analysts Warn Compliance Targets Could Outpace Actual Safety Outcomes
The U.S. Division of Protection’s push to overtake its zero belief structure is dealing with mounting stress from different priorities together with integrating synthetic intelligence, cloud platforms and linked operational methods throughout the battlefield – elevating questions on whether or not the Pentagon will meet its bold September 2027 deadline to safe its methods in opposition to attackers.
See Additionally: Construct a Zero Belief Roadmap for FinServ
The convergence of rising expertise and the battlefield is forcing a broader shift in how the Pentagon approaches safety, analysts advised ISMG. The division first launched its zero belief technique and highway map in 2022, pledging to maneuver from perimeter-based defenses to a zero belief mannequin during which belief is constantly evaluated throughout customers, units and information in actual time. Latest congressional testimony from Pentagon Chief Data Officer Kirsten Davies detailed a sweeping effort to modernize the division’s expertise ecosystem and cybersecurity program, with an emphasis on operational resilience, information integration and quicker decision-making throughout army environments.
Davies advised lawmakers the division is pursuing a extra unified and risk-based strategy to cybersecurity, designed to interchange static compliance fashions with steady monitoring and adaptive protection mechanisms. The shift comes because the Pentagon works to safe what specialists describe as a sprawling and extremely fragmented atmosphere that features legacy IT methods, trendy cloud infrastructure and operational expertise tied on to mission methods.
“We’re embarking on a daring transformation,” Davies mentioned, noting that the Pentagon was “bringing again to the middle all of enterprise IT and the cybersecurity program” to assist remove duplicative spending, cut back technical debt, speed up modernization and unleash innovation “from the core to the sting throughout our joint forces.”
On the heart of the trouble is a renewed push to operationalize zero belief ideas throughout the Division of Protection atmosphere, requiring structural adjustments in governance, structure and execution throughout army providers, combatant instructions and protection companies. Earlier studies have mentioned that the Protection Division has struggled to handle persistent cybersecurity weaknesses, together with gaps in asset visibility, system authorization and threat administration processes (see: DOD Failing to Repair Important Cybersecurity Gaps, Report Says).
These challenges are additionally compounded by the size of the division’s digital ecosystem and the rising reliance on interconnected methods – together with these operated by contractors and companions throughout the protection industrial base. Latest coverage adjustments replicate an effort to handle the broader assault floor, with new cybersecurity necessities for protection contractors supposed to strengthen baseline protections throughout the provision chain (see: Pentagon Points Lengthy-Awaited Contractor Cybersecurity Rule).
Congress has additionally elevated funding for army cybersecurity packages, with the fiscal 2026 protection authorization invoice allocating roughly $15 billion towards cyber initiatives tied to modernization and nil belief implementation (see: US Army Cyber Finances Jumps to $15B in 2026 NDAA).
However even with that funding, officers and analysts say the division faces deeper structural challenges that may’t be solved by way of funding alone – significantly round fragmented governance and uneven implementation throughout elements.
Timothy Amerson, a veteran federal CISO with over 30 years of cybersecurity expertise throughout the Pentagon and civilian department companies, mentioned the division’s 2027 zero belief deadline is achievable – however could obscure the distinction between compliance and actual safety outcomes.
“The 2027 deadline is achievable in title, however provided that we’re trustworthy about what goal stage truly means,” Amerson advised ISMG. “As of early 2025, solely 14% of target-level zero belief actions had been accomplished throughout DoD’s 58 elements.”
Amerson, who at present serves as federal CISO for GuidePoint Safety, mentioned the extra important threat is how success will likely be measured because the deadline approaches.
“What issues me is whether or not these containers characterize real threat discount or compliance theater,” he mentioned, pointing to persistent gaps in id, information and legacy infrastructure as key friction factors, significantly because the division works to implement federated id methods and constant information classification throughout its atmosphere. “Federated id solely protects you when each node is enrolled, and DoD shouldn’t be there but,” he mentioned.
With out constant information tagging, analysts additionally famous that zero belief architectures lack the context wanted to implement coverage successfully.
James Winebrenner, CEO of Elisity, mentioned the complexity of the protection atmosphere makes attaining a mature zero belief posture basically completely different from industrial enterprise deployments.
“The 2027 goal is bold, and the ambition is precisely proper,” Winebrenner advised ISMG. “However once you’re speaking about securing tens of millions of endpoints throughout air-gapped networks, legacy OT infrastructure, coalition environments and edge deployments spanning each area, warfare ‘mature’ means one thing categorically completely different from what it means in a industrial enterprise.”
Winebrenner pointed to early successes such because the Navy’s Flank Pace program and DISA’s Thunderdome initiative as proof that zero belief will be carried out successfully inside outlined environments. However scaling these fashions throughout the complete division presents a considerably higher problem, significantly on condition that solely a small portion of zero belief actions had been accomplished as of early 2025.
Winebrenner additionally advised ISMG that one of the persistent gaps is the disconnect between id methods and network-level enforcement. That hole is very pronounced in operational expertise environments, analysts famous, the place legacy methods and prolonged modernization timelines complicate enforcement and prolong threat publicity past the 2027 deadline.
Davies advised lawmakers the division is working to centralize oversight of enterprise IT and cybersecurity features beneath the CIO, streamline necessities and standardize approaches throughout the enterprise as a part of its broader transformation technique.
The hassle additionally consists of nearer integration between cybersecurity operations and mission methods, in addition to initiatives to enhance interoperability with allies and companions by way of shared environments designed for safe information alternate.
The division can also be increasing its cyber workforce authorities and coaching packages to handle persistent expertise shortages and assist the transition to extra superior safety fashions, in line with Davies.
The Division of Protection didn’t reply to a request for remark.
