The Department of Defense (DoD) is planning to release new zero trust guidance in the summer of 2025 related to operational technology (OT) – and extending beyond the department’s fiscal year (FY) 2027 zero trust goal.
The DoD chief information officer (CIO) set an ambitious goal in 2022 to implement a zero trust architecture across the entire department by FY2027. To reach this “target level” of zero trust defense agencies must meet 91 capabilities – and a total of 152 for “advanced” zero trust.
Randy Resnick, the director of DoD’s Zero Trust Portfolio Management Office (PfMO), said that the department established and designed “target level zero trust” to stop an adversary – something that he said falls “in the box called IT.”
“Recently, in the last six months, we have pivoted – not left IT, but pivoted – to now thinking about OT,” Resnick said on Tuesday during the Red Hat Government Symposium in Washington, D.C. “OT also has vulnerabilities that we are concerned about, and so the question that has come up naturally is, ‘What are you doing about OT in a ZT sense?’”
“So, while there’s a deadline or target for IT by the end of 2027 fiscal year, we are going to be coming out with guidance for OT, and that’ll probably come out at the end of this summer, summer ‘25, and we’ll have a date beyond 2027 where we start establishing ZT and OT,” he said.
Resnick explained the department is “concerned about defense critical infrastructure,” but “the beauty of zero trust” is that you assume the adversary is in your network – something that is critical as China attempts to maintain footholds in U.S. critical infrastructure.
Maj. Gen. Matteo Martemucci, the deputy chief of the Central Security Service within the National Security Agency (NSA), pointed to Volt Typhoon – the Chinese-based hacking group that has compromised the IT environments of multiple U.S. critical infrastructure organizations.
Martemucci called the malicious cyber activity from the People’s Republic of China “the pressing challenge of our time.”
“This entity and these operators exist – they are operating in U.S. space, in U.S. critical infrastructure,” Martemucci said, referring to Volt Typhoon. “And what’s perhaps most significant is that they’re doing so not in order to collect intelligence, espionage, the thing we’ve always done, but in fact, to be placed in order to be able to hold critical infrastructure at risk. That’s a game changer, that’s different.”
Both Martemucci and Resnick said that partnerships are crucial to finding solutions to these ever-evolving cyber threats.
David Carroll, the associate director for mission engineering at the Cybersecurity and Infrastructure Security Agency (CISA), echoed the other panelists in saying, “Collaboration is important.”
“What we really need is for all of you to get involved with us and fuel [our] products, both from a technological partnership and advancement standpoint. We want to deliver the best for the nation and for all of you,” Carroll said.
“In terms of what the vendors in this audience can do, we need solutions. We need integrated solutions,” Resnick added. “Zero trust … it’s not easy. It’s going to require multiple vendors.”
Resnick noted the recent success of the Department of the Navy’s Flank Speed cloud service, which is the first to achieve full compliance with the DoD’s FY2027 zero trust goal. The achievement was made possible by a coalition of DoD and industry experts, including Microsoft.
Flank Speed met all 91 “targeted” zero trust capabilities, hitting a major milestone about three years ahead of deadline. It also met 60 of the 61 “advanced” zero trust activities.
“The Navy deserves tremendous accolades on what they achieved,” Resnick said. “This was a major success … but there are other cloud providers that I’m hoping and I truly believe are going to be popping out soon with other successes.”