DOD: Zero Trust as a Cultural Shift, Not Just a Cybersecurity Strategy

In her first media appearance since rejoining the Department of Defense, Katie Arrington, PTDO CIO, discusses her vision for Zero Trust as a cultural shift, not just a cybersecurity strategy.

She recaps highlights from the 2025 Cyber Workforce Summit, shares updates on the CMMC program, and outlines how the DIB and commercial innovation are being integrated into DoD’s evolving IT and acquisition landscape.

3 Key Takeaways:

• Zero Trust is a cultural transformation, requiring alignment across leadership, policy, and acquisition.
• The CMMC program is moving forward as a key enabler of supply chain security, with strong support from DoD leadership.
• Integration of commercial innovation and DIB readiness is essential to flattening the “valley of death” in defense acquisition.

Zero Trust Implementation in the DoD

The DoD has outlined a structured approach to implementing Zero Trust, guided by the 2021 DoD Zero Trust Strategy and subsequent execution plans. Key aspects include:

• Zero Trust Portfolio Management Office (PfMO): Established to oversee and coordinate Zero Trust implementation across DoD components, ensuring alignment with strategic goals.
• Seven Pillars of Zero Trust: The DoD’s Zero Trust framework is built on seven pillars—User, Device, Network/Environment, Application/Workload, Data, Visibility/Analytics, and Automation/Orchestration. These pillars guide investments and technology deployments.
• Target and Advanced Levels: The DoD aims to achieve a “Target” level of Zero Trust maturity by 2027, with foundational capabilities like MFA and micro-segmentation, and progress toward an “Advanced” level with fully automated, dynamic security policies.
• Integration with Existing Frameworks: Zero Trust aligns with the DoD’s Cybersecurity Maturity Model Certification (CMMC) and Risk Management Framework (RMF), ensuring compliance and interoperability with defense contractors and partners.
• Cloud and Edge Integration: The DoD leverages Zero Trust to secure cloud environments (e.g., Joint Warfighting Cloud Capability) and tactical edge devices, enabling secure operations in contested environments.

Key Technologies and Practices

The DoD employs several technologies to operationalize Zero Trust:

• Identity, Credential, and Access Management (ICAM): Centralized identity management systems to enforce MFA and role-based access.
• Software-Defined Networking (SDN): Enables dynamic network segmentation and traffic control.
• Endpoint Detection and Response (EDR): Monitors devices for threats and ensures compliance with security policies.
• Security Information and Event Management (SIEM): Provides real-time analytics for threat detection and incident response.
• Encryption and Data Loss Prevention (DLP): Protects data in transit and at rest, preventing unauthorized exfiltration.

Conclusion

Zero Trust is a transformative element of the DoD’s cybersecurity strategy, shifting from reactive, perimeter-based defenses to a proactive, identity-driven approach.

By embedding continuous verification, least privilege, and real-time monitoring, Zero Trust strengthens the DoD’s ability to protect critical assets, counter evolving threats, and maintain operational readiness in an increasingly contested cyber landscape. The DoD’s commitment to achieving Zero Trust maturity by 2027 underscores its role as a strategic priority for national security.