Randy Resnick, senior advisor of the Zero Trust Portfolio Management Office in the DOD, said Wednesday that the department is developing those guidance documents as expansions and variations of the 91 baseline “target-level” zero-trust activities it has already released for industry models to meet.

The new IoT and OT guidance are expected sometime in September, Resnick said at the GDIT Emerge: Edge Forward event, produced by FedScoop.

DOD uses what it refers to as “fan charts,” Resnick said, to lay out the various security controls vendors must build into their zero-trust solutions to meet the baseline for military services and defense agencies. In total, there are 152 controls — 91 at the target level and 61 at the advanced level, which “offer the highest level of protection,” the department said in guidance from 2024.

Resnick said that the fan chart for operational technology is “different” than that of the 91 activities needed to meet target-level compliance, though “there’s a lot of overlap.”

“The number of activities to hit target-level OT is different,” he explained.

For securing IoT systems with zero trust, Resnick said it’s essentially the same 91 target-level activities, plus two additional controls.

Explaining why it was necessary to build out additional overlays for OT and IoT systems, he said the way you respond to an incident is quite different, especially for operational technology.

With OT, Resnick said, “You want to have it fail open, or you want to have it fail in a way that doesn’t disturb or cause more mischief or harm than you want.”

Once those pieces of guidance arrive in September, just one more such directive remains for the DOD to issue: zero-trust overlays for weapons systems, said Resnick.

With the 2027 deadline looming, Resnick said he feels like “we’re in good shape,” especially after his office was spared in recent DOGE cuts, he said.

He explained that the department continues to experience successful pilots with industry that meet target or advanced levels of zero trust. And with more of those solutions taking shape, it’s getting closer to the point where DOD organizations will be able to “just buy it, implement it, install it, and pretty much get there before the end of [2027],” Resnick said.

The hard part will then be installing the solutions, he explained.

“We’re talking professional services and a whole army of people that are probably going to be required,” Resnick said. “We’re talking about full swap-outs and new infrastructures. This is not a small problem … I certainly hope that industry is thinking like that.”

The post Pentagon zero trust guidance for IoT and OT coming in September appeared first on DefenseScoop.

This bombshell revelation came just as the Department of Defense floated a “soft” deadline of 2035 to achieve Zero Trust (ZT) cyber protections for the same operational technology in weapons systems. The Pentagon’s Zero Trust portfolio director, Randy Resnick, described the DOD’s challenge in alarming terms: “We are far away. I’m suggesting fiscal [year 20]35 and beyond. That might actually be a 10-year effort or more.” This admission is not deterrence, but an open invitation for adversaries to ignore the Geneva Conventions and coerce Americans with existential threats. We are in a hot cyber war today, not in 2035. Our adversaries are attacking our water and power systems now. So why is the Pentagon telling our adversaries they have 10 years to penetrate our OT, disrupt mission-critical assets, and prevent weapons from launching and hitting their targets?

The secretary of defense and combatant commanders are prioritizing urgent lethality to immediately deter an adversary. We don’t have the luxury of time where “soft” deadlines introduce more risk to our global missions, weakening the deterrent credibility of the entire U.S. military. With global strife raging, we need this leadership in all programs, including the cyber protection of OT. However, when Pentagon leaders assess “no easy feat” with estimated capabilities “far away,” the message to adversaries is clear: We’re unprepared and unwilling to act quickly to counter this specific cyber threat… and that must change.

Zero trust means zero excuses.

The CIO must ensure that the next Zero Trust Strategy for Operational Technologies provides clear implementation guidance and mandatory compliance requirements. This means all stakeholders, along with deadlines and measurable cyber-related Key Performance Indicators (KPIs) tied to readiness and warfighter capability. Moreover, command leadership must be held accountable for these outcomes. Our adversaries are planning to utilize cyberattack vectors to compel national capitulation by disabling weapon systems, denying critical defense assets, and jamming communication pipelines. We need a sense of urgency and accountability to mitigate this risk to Golden Dome (once it comes online) and our forward-deployed forces.

The new CIO must work with all levels of command to alter the calculus in adversary cyber decision-making. No more “soft” goals and “far-off” timelines. We need a wartime footing inside the Pentagon’s cyber leadership, which means an operational sprint in which:

• COCOMS must demand defensive cyber capabilities for their OT assets from U.S. Cyber Command.
• Military cyber defenses must be extended to defend critical infrastructure.
• OT vulnerabilities must be accounted for in the department’s Information Assurance Enterprise Vulnerability Management Program (VMP).
• DOD’s Cyber Operational Readiness Assessment (CORA) criteria must include OT.
• A program of record must be established with effects-based goals and substantial funding for the rapid deployment of proven security tools already in use by private industry.
• OT protections must be prioritized in acquisition and sustainment programs.
• OT cyber protections must be integrated directly into operational availability metrics.

Zero trust isn’t a compliance exercise, it’s a warfighting necessity.

It’s time to stop admiring the challenge of implementing ZT for OT and get serious about cyber protections and resilience required to project power globally. When the CCP embeds malware in weapons systems, telecom networks, fuel systems and ammunition plants, as well as port cranes, rail systems and other critical assets, it is preparing for conflict with sabotaging activities. The Chinese have confirmed their intent and don’t care about strategies, data calls, or fan charts. If we accept a decade-long timeline, they will hurt our ability to deploy and fight effectively. The Defense Department must respond with urgency now with near-term risk mitigations, or our warfighters will be switched off just when our country needs them the most.

Lucian Niemeyer is an Air Force veteran, former professional staff member on the U.S. Senate Armed Services Committee, and former assistant secretary of defense who also served in the White House Office of Management and Budget. He currently leads the non-profit organization, BuildingCyberSecurity.org.

Tatyana Bolton is the executive director of the Operational Technology Cybersecurity Coalition, a principal at Monument Advocacy, and former policy director of the Cyberspace Solarium Commission. She has also served at the Department of Defense (DoD), the Cybersecurity and Infrastructure Security Agency (CISA), and Google. She currently serves on the Advisory Board of Berkeley’s CLTC and the Cybersafe Foundation, and as a senior advisor to CSC 2.0.

The post The Pentagon’s cyber malaise: Zero trust deadlines translate to zero urgency appeared first on DefenseScoop.

The achievement is a major milestone for DISA’s Thunderdome initiative, which offers a suite of IT and cybersecurity technologies that various agencies across the Defense Department can use as their zero-trust solution. DISA’s validation of Thunderdome comes more than two years ahead of the Pentagon’s deadline to implement target levels of zero trust by the end of fiscal 2027.

“It is a stellar machine system and environment, and there’s a lot of DOD field activities and agencies that are depending on that solution as its [zero-trust] solution,” Resnick said Wednesday during the Defense Acquisition University’s annual Zero Trust Symposium.

Zero trust is a cybersecurity framework that assumes networks are already compromised by adversaries, as opposed to the perimeter-based standards traditionally employed by the DOD. Rather than establishing a protective cybersecurity boundary over its networks, zero trust requires the Pentagon to integrate new capabilities that can constantly monitor and authenticate its networks and users as they move through them.

The DOD’s 2022 Zero Trust Strategy outlined a minimum set of 91 capability outcomes that agencies and components must meet to achieve “target levels” of zero trust no later than Sept. 30, 2027. The strategy also provided an additional 61 activities that are required to meet what the Pentagon considers “advanced levels.”

Resnick said DISA’s Thunderdome achieved a “perfect 152 out of 152,” meaning the solution is the second to hit all of the department’s ZT capability outcomes. The Navy’s cloud-based Microsoft Office 365 platform — known as Flank Speed — was the first zero-trust solution to achieve advanced levels, and met all 152 requirements earlier this year.

“Thunderdome is the Defense Information Systems Agency’s (DISA) comprehensive ZT solution,” Chris Pymm, Thunderdome portfolio manager at DISA, told DefenseScoop in a statement. “Recently, the Department of Defense DOD CIO purple team has validated that Thunderdome provides advanced level ZT across all 152 activities in DOD’s ZT model. What’s more, organizations can leverage DISA’s Thunderdome procurement vehicle to meet their integration ZT needs.”

According to the agency, the Thunderdome solution leverages enterprise identity credential and access management (ICAM); commercial secure access service edge capabilities; and software-defined wide area networking and security tools.

In 2022, DISA awarded Booz Allen Hamilton a $6.8 million other transaction agreement to prototype Thunderdome, which was later extended to include the Pentagon’s classified Secure Internet Protocol Router Network (SIPRNet). Following 18 months of development, the company received a follow-on production contract in 2023 to transition the solution into full deployment. 

The award is structured as an indefinite delivery/indefinite quantity (IDIQ)-like award to allow for other Pentagon agencies and departments to leverage the OTA over a five-year period. The contract has a total ceiling of $1.86 billion.

Pymm said that Thunderdome “will complete the DISA terrain in June of this year.” The effort’s zero-trust capabilities will be scaled to defense agencies and field activities via the broader migration of users to its new modernized network, known as DODNet, he added.

In fiscal 2025, Thunderdome will be fielded to the Defense Contract Management Agency, Defense Contract Audit Agency, Defense Logistics Agencies, Defense Media Activity, Defense Finance Accounting Service and the Defense Microelectronics Activity.

Moving forward, DISA plans to deploy the capability to the following agencies and organizations in fiscal 2026: Defense Threat Reduction Agency, Joint Staff’s J-6 directorate, Defense Advanced Research Projects Agency, Missile Defense Agency and Defense Manpower Data Center.

Updated on April 2, 2025, at 5:25 PM: This story has been updated to include more information from DISA about plans for Thunderdome and statements from Chris Pymm, Thunderdome portfolio manager.

The post DISA’s Thunderdome achieves advanced zero-trust goals appeared first on DefenseScoop.

The SECNAV is the top civilian responsible for leading the Department of the Navy, which also includes the Marine Corps. Phelan, a businessman and co-founder of MSD Capital, was nominated for the post by President Donald Trump.

Ahead of his confirmation hearing last month, Phelan told lawmakers that he planned to push for more investment in uncrewed systems and enabler technologies — such as autonomy, mission systems and communications — for manned-unmanned teaming by the Navy and jointly with the other military services.

He’s coming into the job as the sea service is pursuing a “hybrid fleet” and trying to accelerate the fielding of robotic platforms to counter China, including via Project 33. The Marine Corps is also pursuing collaborative combat aircraft via its Penetrating Affordable Autonomous Collaborative Killer-Portfolio (PAACK-P) program, as well as loitering munitions.

Phelan also noted the need for a variety of counter-drone tools, informed by recent Navy efforts to thwart attacks by the Houthis and protect military and commercial vessels in the Red Sea. Some defense officials have said the military needs cheaper options for shooting down inexpensive adversary unmanned aerial systems.

“The Red Sea engagements provided valuable lessons. While cost exchange ratios are a useful metric against low-cost threats, they don’t encompass the full complexity of naval warfare. I fully support a Captain utilizing the most effective means available to eliminate threats and protect their multibillion-dollar ship and crew. However, we must provide them with a wider variety of reliable options beyond their current limited and costly solutions. If confirmed, I will prioritize expanding development of layered ship defense capabilities, including guns, directed energy, loitering munitions, and other innovative technologies,” Phelan wrote in response to advance policy questions from senators.

The Marines are also gung-ho about counter-drone tech, having recently awarded a $642 million contract to Anduril to deliver, install and sustain a family of systems to protect its installations from small UAS.

Phelan also weighed in on digital threats that the department is confronting expressing his view that the top cyber challenges facing the Navy are securing defense critical infrastructure and weapon systems, increasing cyber force readiness and executing critical modernization efforts.

“Removing legacy information technology, modernizing cryptography, implementing zero trust, and hardening classified networks all contribute to modernizing the Department of the Navy. Importantly, the readiness of our military and civilian workforce is critical for achieving our priorities in cyberspace. It is my understanding that the Navy and Marine Corps have made notable progress in strengthening cybersecurity and resiliency in operational technology environments and in improving the readiness of their personnel in the Cyber Mission Force [overseen by U.S. Cyber Command],” he wrote.

“Additionally, the Department of the Navy recently delivered the first fully validated implementation of a true Zero Trust architecture in the Department of Defense. If confirmed, I will expect the [Navy’s principal cyber adviser] to work closely with the Chief Information Officer and Navy and Marine Corps stakeholders to drive tangible outcomes in these areas,” he told lawmakers.

The department is also placing greater emphasis on information warfare, which includes intelligence, electronic warfare, cyber, cryptology and networks, among other areas.

Phelan told senators that, if confirmed, he would request a detailed briefing on the Navy’s “information dominance” capabilities and determine resourcing, workforce and innovation priorities to integrate into the joint force’s modernization efforts.

“If confirmed, I will empower the Naval Information Warfare Community to recruit, retain and promote the most skilled and qualified Sailors to train and conduct integrated fires to effectively deter and combat threats to our Nation. These actions align to the Department of the Navy Cyber Strategy which calls for effective sequencing and synchronization of non-kinetic effects to generate decisive advantages,” he wrote.

Phelan — who has no previous military experience — will take the helm of the Navy as the Pentagon is in the midst of DOGE reviews, hiring freezes and efforts to reduce the DOD’s civilian workforce by more than 50,000 people. Defense Secretary Pete Hegseth recently issued a memo giving service secretaries the authority to request and authorize certain exemptions to the civilian hiring freeze. Last week, the department released another memo with a list of more positions that are eligible for exemptions.

“Congratulations John Phelan on being Confirmed as the 79th Secretary of the Navy!” Hegseth wrote in a post on X Monday evening. “Looking forward to supporting our warfighters together.”

In a statement, Aerospace Industries Association (AIA) President and CEO Eric Fanning said the new SECNAV’s “business acumen will infuse the Navy with a strategic approach to expanding our fleet to meet deterrence needs across the world, especially in the Indo-Pacific,” adding that his “commitment to readiness, effectiveness, and efficiency aligns seamlessly with our industry’s priorities. We look forward to collaborating with Secretary Phelan to ensure our Sailors are equipped with the finest equipment in the world.”

Phelan’s confirmation marks the latest success by the Trump administration in filling high-level posts at the Pentagon.

On March 14, the Senate confirmed Stephen Feinberg as deputy secretary of defense to serve as the Pentagon’s No. 2 under Hegseth. Trump’s pick for Army secretary, Daniel Driscoll, was confirmed in late February. And earlier this month, Katie Arrington was appointed acting Pentagon CIO.

However, other nominees for high-level Pentagon jobs have yet to be confirmed, such as Lt. Gen. Dan “Razin” Caine as chairman of the Joint Chiefs of Staff and Troy Meink as Air Force secretary, among others.

It’s also uncertain who will be the next chief of naval operations working alongside Phelan to lead the sea service. Last month, Trump fired Adm. Lisa Franchetti as CNO and hasn’t nominated a replacement. In the meantime, Adm. James Kilby, vice chief of naval operations, is performing the duties of CNO.

Other key nominations for senior positions that have yet to be confirmed include Michael Duffey to be undersecretary of defense for acquisition and sustainment, the Pentagon’s top weapons buyer; Emil Michael to be undersecretary of defense for research and engineering, a role tasked with fostering next-generation military capabilities and overseeing critical technology areas; and Elbridge “Bridge” Colby to be undersecretary of defense for policy, among others. A confirmation hearing for Meink, Michael and Duffey is scheduled for Thursday.

Updated on March 25, 2025, at 9:50 AM: This story has been updated to include comments from Defense Secretary Pete Hegseth and AIA President and CEO Eric Fanning.

The post Senate confirms Trump’s pick to lead Navy and Marine Corps appeared first on DefenseScoop.

“This concludes a rewarding journey through military service, private industry, and government leadership. It’s been an honor to support our mission, lead technology initiatives, and work alongside the exceptional personnel of our Air and Space Forces,” she said in a post on LinkedIn announcing her exit. 

Goodwine was tapped to serve as DAF CIO in August 2023, and oversaw modernization efforts for information technology, cybersecurity, data and artificial intelligence for both the Air and Space Forces. She led several initiatives throughout her tenure that aimed to streamline the DAF’s experimentation and adoption of emerging AI capabilities, while also pushing for increased transparency on the department’s development and spending on the technology.

In 2024, she helped stand up the DAF’s NIPRGPT 1.0 platform, where airmen, guardians, civilian employees and contractors can interact with a generative AI chatbot on the Non-classified Internet Protocol Router Network (NIPRNet). The tool served as a way for the department to experiment with large language models to help determine best use cases in the future.

Goodwine was also involved in the department’s work to adopt zero-trust cybersecurity frameworks, as mandated by the Pentagon. Her Zero Trust Strategy, released last year, emphasized leveraging cloud-based capabilities and integrating identity, credential, and access management (ICAM) solutions.

Prior to serving as DAF CIO, Goodwine was the director of enterprise information technology for the department. She previously spent more than two years as chief information security officer at the Department of Agriculture.

Goodwine is an Air Force veteran, having joined active duty in 1986 and serving as a signals intelligence analyst. She then served in the Air Force Reserve from 2002 until her retirement from uniformed military service in 2022.

Although she is leaving federal service, Goodwine noted in her LinkedIn post that she is open to other opportunities outside of government.

“After years of tackling complex challenges, I’m looking forward to this period of rest and reflection. But make no mistake—this is just a break, not an ending. I remain excited about future opportunities and new ways to contribute,” she wrote.

The post Venice Goodwine exiting role as Air Force CIO appeared first on DefenseScoop.

Network modernization is a top priority for service leadership. The deputy chief of staff, G-6, trumpeted the unveiling of Army Unified Network Plan 2.0 in a LinkedIn post Tuesday.

“AUNP 2.0 is new guidance on how the warfighter actually approaches, accelerates and operationalizes the unified network across the board,” Lt. Gen. Jeth Rey said in a statement. “It’s going to enable multi-domain operations and chart the roadmap of where we’re going for the unified network by 2027. It also talks about the critical enablers required to achieve a multi-domain operational Army by 2030.”

The first iteration of the unified network plan was released in 2021.

“Since then, a confluence of emerging technologies and events has transformed the world into a multidomain, persistently contested information environment that demands a far more data-centric approach to harness the power of the Army Network to fight and win,” officials wrote in version 2.0.

Integrating zero trust — a cybersecurity framework that assumes adversaries are already moving through information technology networks and therefore requires organizations to continuously monitor and validate users and their devices as they move through the network — is a key element of the second iteration. It’s also a top IT modernization priority for the Defense Department writ large. The DOD’s goal is for all components to achieve “target levels” of zero trust by the end of fiscal 2027.

The Army’s new document is “a strategic guide to operationalize the Unified Network through a focus on ZT principles that improve how the Army’s network moves and secures data,” officials wrote. “The plan incorporates observations and lessons learned from ongoing operations around the globe, as well as best practices for security. Static command posts are no longer uncontested in combat operations; neither are our data or network. As with command posts, the network and data must be agile, adaptable, and able to rapidly move to the point of need even in a denied, disrupted, intermittent, and limited bandwidth (DDIL) environment. Whereas past network strategies homed in on perimeter defense and hardware, the AUNP 2.0 is focused on common principles and standards to centrally deliver and manage the network and data.”

Other key principles include reducing or eliminating information technology complexity at the tactical edge; centralizing IT service delivery and resourcing; establishing and employing common standards, processes and systems; pursuing priorities for command and control in support of multi-domain operations; enabling faster, secure data-sharing across security domains and with allies and partners; and developing concepts of operation and “validated operational requirements at echelon.”

In the near term, the Army is focused on efforts to “operationalize” the unified network, including by completing the operations construct for the Army’s portion of the Department of Defense Information Network with supporting force structure; implementing a hybrid compute capability in support of tactical formations operating in denied, disrupted, intermittent and limited bandwidth environments; and establishing a “persistent” Mission Partner Environment and funding strategy, inclusive of “all hardware, software, infrastructure, sustainment, and people” from the tactical edge to the enterprise level, among other initiatives.

“This phase ends with the establishment of a Unified Network based on Zero Trust principles, enabling the seamless transfer of data across all echelons, postured to support” multi-domain operations, according to officials.

For the next phase beginning in 2027, the focus will be on additional modernization and transformation, such as final integration of the zero-trust architecture and continued integration with the other services and mission partners.

Emerging technologies that are expected to play a key role in that effort include dynamic and diverse transport, robust computing and edge sensors; data-centric data management technologies and platforms with tagging and labeling at the source; robotics and autonomous operations; quantum-resistant encryption and technologies; and AI and machine learning models and capabilities, among others, according to the Army.

The post Army unified network plan 2.0 prioritizes zero trust appeared first on DefenseScoop.

Brian Hermann, director and program executive officer for DISA’s PEO Cyber, told a small group of reporters Friday that the agency expects to complete all ICAM federation activities with the services by the end of fiscal 2025.

The plan is to build off ongoing work with the Army and federate its ICAM solutions in March. DISA will then work with the Navy and Marine Corps to federate their instances by the end of June, and finally complete federation with the Air and Space Forces before the end of September, Hermann said.

ICAM generally comprises a set of IT policies, systems and security tools that verifies users have the right credentials to access certain parts of a network — in this case the Pentagon’s. While various Defense Department components have worked to develop their own ICAM capabilities, the larger department has sought to create and implement an enterprise solution to streamline information sharing across the Department of Defense Information Network, as well as with international allies and partners. 

“ICAM is how we work across the department, as well as how we work with our mission partners,” Hermann said. “Enabling our work with allied and coalition partners means we have to have some connectivity and understanding of who we’re working with in that coalition, make sure that we have an understanding of their access rights and grant them access to DOD resources — as well as grant DOD users access to things that we have to share with those mission partners.”

Overall, ICAM is a key part of the Defense Department’s journey to operating under a zero-trust cybersecurity framework, which requires all users and devices connected to a network to be continually authorized as they move through it. Hermann emphasized that DISA’s federation activity is crucial in the department’s goal of achieving “target levels” of zero trust by the end of fiscal 2027.

“We’re leading that effort for the department,” he said. “Any other ICAM implementations that may exist are going to depend on us getting this federation activity done.”

At the end of 2024, DISA stood up a federation hub to begin work consolidating the Pentagon’s existing ICAM instances, beginning with the Army’s, Hermann noted. The hub gives DISA a “total picture” of all the information users can access and ensures the agency can deconflict roles they might have in other systems across the department, he said.

Once the federation is complete with the military services, Hermann said DISA plans to connect with the Defense Manpower Data Centers — a repository of information on the Pentagon’s personnel and manpower. The agency plans to pick up ICAM federation efforts on classified networks in the future as well, he added.

While Hermann couldn’t provide an exact number of applications that will need to be federated across the Pentagon, he said it is more than first expected. He noted that federation work has also given different components insights on what systems they can modernize and others that have to be replaced in the future.

“This helps the exercise of determining whether something needs to get modernized and moved to ICAM, or it needs to potentially go away and cease to exist,” Hermann said. “I think there’s a lot of application rationalization that goes on across the department in this process, and that’s probably a good house-cleaning exercise.”

As it goes through the federation process, DISA is working with Pentagon components to determine whether an enterprise ICAM solution will meet their specific needs and avoid having too many instances across the department, Hermann said.

“We really want to prove that there’s no way that [something] could be supported by an existing ICAM before we create new ones because it’s not cheap to do this. There ought to be a real strong impetus for why we would have more of these,” he said. “I strongly believe in enterprise, and I want to try and make it work as much as possible. When we do that, then we have less requirements for federation because more users are being served by the enterprise solution.

Still, Hermann emphasized the importance of finding the right balance of ICAM solutions available, as having too few available would create bottlenecks for the Defense Department. To that end, allowing the military services to have their own ICAM solutions is helping DISA move faster with adoption, he said.

“My sincere hope is that at some point in the future, we can consolidate somewhat, but getting everybody to ICAM implementation and adoption quickly is served well by having some separate instances of ICAM,” Hermann said. “That, right now, is the longest pole in the tent of adopting ICAM — making sure that the application owners are able to work with their ICAM providers and get their applications connected.”

The post DISA aims to connect DOD services to federated ICAM solution by end of 2025 appeared first on DefenseScoop.

Since the Pentagon released its zero trust strategy in 2022, organizations across the DOD have worked to upgrade their IT infrastructure so that it operates under zero trust — a cybersecurity concept that assumes networks are already compromised by adversaries and requires continuous monitoring and authentication of users and devices. The department’s goal is for all components to achieve “target levels” of zero trust by the end of fiscal 2027.

While efforts have focused on transitioning the Pentagon’s networks and IT infrastructure, some of the services have already begun assessing how they can integrate zero trust and enabling technologies into physical systems.

“It’s not just networks. Our operational technology is critical as well. So our weapons systems, our platforms, our facilities have to fall within this zero-trust umbrella as well,” Anne Marie Schumann, principal cyber advisor at the Department of Navy, said Wednesday during a panel at the Zero Trust Summit hosted by Scoop News Group.

Schumann noted that the Pentagon has been tracking cyber threats to operational technology and is currently developing a zero-trust implementation plan for those systems. But advancements in adversary cyber threats — such as from the Chinese-linked group known as Volt Typhoon — have put pressure on the department to move faster.

“I think one of the changes is that urgency is now being met with more mature capabilities from industry and a more mature approach from the DOD, because we can draw on what we’ve done with zero trust for it, and we know what that roadmap looks like to get there. We just need to start implementing that,” she said.

The Department of the Navy has largely led the way for other components in executing the Pentagon’s zero-trust goals. Its cloud-based Microsoft Office 365 platform known as Flank Speed has already met all 152 zero-trust requirements set by DOD and is continuing to improve cybersecurity on other networks, Schumann noted.

To get after cybersecurity for physical systems, the DON is preparing a set of standards for its implementation of zero trust for operational technology, slated to publish “in the next month or so,” Schumann said. The standards are part of a larger Navy effort known as More Situational Awareness for Industrial Control Systems (MOSAICS) that broadly aims to develop and demonstrate cyber defense capabilities for its facilities.

The upcoming standards will outline how to achieve zero trust at a “basic level” that covers minimum cybersecurity requirements, as well as a “block 2 advanced level” that denotes achievement of all requirements, according to Schumann. The strategy mirrors the Defense Department’s own delineation between what it considers “target levels” and “advanced levels” of zero trust, detailed in the 2022 strategy.

“I think that would be a really useful level-set for both us and our industry partners to know how we’re measuring capabilities,” Schumann said.

Wanda Jones-Heath, principal cyber advisor for the Department of the Air Force, also said during the panel that her office is looking at how it should invest to implement zero-trust frameworks for operational technology. For its zero-trust efforts, the DAF has released its own strategy and implementation plan, which has been updated to include capabilities beyond networks and IT infrastructure and is pending signature from the new presidential administration, she noted.

“The Navy is certainly leading the way, and we are following very closely,” Jones-Heath said.

The post Navy looks to add zero-trust controls into weapon systems, platforms appeared first on DefenseScoop.

The Pentagon is planning to implement a novel mission partner environment architecture on a live network in support of a maritime mission being led by the United Kingdom in 2025. The goal is to employ zero trust and data-centric security capabilities on a federated architecture, composed of “multiple secure, collaborative data services between partners and hosted users,” a spokesperson for the office of the Joint Chiefs of Staff told DefenseScoop in a statement.

“This enables us to create a global information sharing capability,” the spokesperson said.

The event will leverage previous work done by the Pentagon’s Project Olympus, according to a department news release. Led by the Joint Staff’s J-6 directorate for command, control, communications and computers/cyber, the effort looks to solve challenges that prevent international allies and partners from sharing critical warfighting data by testing, developing and integrating various enabling technologies via experiments and demonstrations.

During the 2025 maritime mission, the United States, United Kingdom and Canada will utilize zero trust and data-centric security capabilities that were previously tested during Project Olympus 2024, including the Indo-Pacific Mission Network and Collaborative Partner Environment, according to the spokesperson.

Other international participants include Norway, Australia, Chile, Spain, France, India, Italy, Japan, Republic of Korea, Malaysia, Oman, New Zealand and Singapore.

“As part of this activity, we will assess command and control effectiveness and performance and CJADC2 capability maturity relative to a primary line of effort within the CJADC2 Strategy, Modernize Mission Partner Information Sharing,” the spokesperson said.

CJADC2 is the department’s new warfighting concept that aims to connect disparate systems operated by the U.S. military and international partners under a single network to enable rapid data transfer between all warfighting domains.

Although the Pentagon announced earlier this year that it had developed a “minimum viable capability” for CJADC2, there are still a number of technology and policy hurdles that inhibit the department’s ability to effectively share information with allies. As a result, the U.S. is adopting new mechanisms — such as zero trust and data-centric security standards — that allow for protected information sharing.

“We’ve historically looked at security as the antithesis for information sharing,” Jim Knight, the United Kingdom’s lead for Project Olympus, said in a Pentagon news release. “The security folks come in and want to sort of clamp down. With zero trust and data centric security, they are security mechanisms, but they are enabling information sharing.”

Zero trust is a cybersecurity framework that assumes adversaries are already moving through IT networks, and therefore requires organizations to continuously monitor and validate users and their devices as they move through the network.

The strategy differs from traditional “perimeter-based” security models that assume all users and devices can be trusted once already inside a network. It requires Pentagon components to modernize their IT infrastructures, as well as adopt new governance processes.

“I think that’s a key focus point,” Knight said. “For the first time, we’re getting that balance right in terms of applying more security. And by applying more security, we’re getting greater information sharing.”

The post DOD to demonstrate zero trust, data-centric security capabilities with allies during live exercise appeared first on DefenseScoop.

As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.