Pentagon plans to publish zero trust strategy 2.0 in early 2026
The Defense Department is writing an updated version of its zero-trust strategy that will outline new cybersecurity frameworks for systems beyond information technology.
“We’re prepping the [ZT] strategy 2.0, estimating that it will be publicly available … around March 2026,” Randy Resnick, senior advisor for the Pentagon’s Zero Trust Portfolio Management Office, said Tuesday during a keynote at DefenseTalks hosted by DefenseScoop.
The upcoming document will expand upon the Defense Department’s first zero-trust strategy published in 2022, which tasked all DOD components to begin implementing updated cybersecurity controls.
Broadly, zero trust assumes networks and systems are compromised by adversaries, meaning the Pentagon must integrate controls that can continuously monitor and authenticate users and their devices as they move through the network.
While the department’s efforts have largely focused on securing IT infrastructure, Resnick said the updated strategy will include future plans for implementing the cybersecurity framework into operational technology, internet-of-things systems, defense critical infrastructure and weapon systems.
“We’re going to cover … in version 2.0 as a strategy the elements of how to secure these new frameworks,” he said.
The Pentagon intends to use the same structure of dividing ZT implementation activities into “target levels” and “advanced levels” for the new frameworks being added to the updated strategy, Resnick said. But because IT infrastructure is intrinsically different, the specific capability outcomes for each type of system will vary in number and requirements, he added.
For IT systems, the department created 91 cybersecurity capability outcomes that agencies and components must meet to achieve target levels of zero trust — covering minimum security requirements — on unclassified and secret networks by the end of fiscal 2027.
There are also 61 additional capability outcomes for what it considers advanced levels of zero trust, which all DOD components must meet by fiscal 2032, Resnick noted.
However, the Defense Department’s Office of the Chief Information Officer published its first guidance in November focused on implementing ZT controls for operational technology that outlined 84 capability outcomes for target-level zero trust and 21 for advanced-level zero trust — many of which are unique to the specific cybersecurity challenges of operational technology.
“The reason why OT is different than IT is because the outcomes for OT are different,” Resnick said. “You know, this is a sensor, this controls water and power — you don’t easily shut that down because you’re being attacked. That’s a denial of service on the OT system, and that’s a denial of service on yourself.”
The deadlines to achieve target- and advanced-levels of zero trust for operational technology are by the end of fiscal 2030 and fiscal 2033, respectively — although those dates could change by the time the zero-trust strategy 2.0 is published, Resnick said. Deadlines for defense critical infrastructure and weapon systems are currently in the works, he added.
Overall, the Pentagon is confident that its work to implement zero trust for IT systems will allow DOD components to do the same for other systems at a much faster pace, Resnick said.
“We have now a community of interest, tactical people, vendors — they’re all primed,” he said. “Congress wants us to go faster, everybody wants us to go faster, … and so we are marking these deadlines as lines in the sand and we’re going to hold people accountable, including the support system in DOD … to fund and support this.”
