The Department of Defense (DoD) is planning to expand its zero trust initiatives beyond its September 2027 goal, with coming guidance set to focus on operational technology (OT) as the priority.
“In recent months, we’ve started focusing on OT. We’re on schedule to release guidance to address zero trust for OT and feel confident we’ll be able to provide it. We aim to have it ready by summer 2025,” Randy Resnick, director of the DoD’s Zero Trust Portfolio Management Office (PfMO), said today during Splunk’s Gov Summit in Washington, D.C.
Resnick first announced the DoD’s plans for the new zero trust guidance related to OT last month at the Red Hat Government Symposium.
While Resnick did not offer any specifics into what the strategy may look like, he did explain today that it will follow a similar framework to the DoD’s original zero trust strategy, maintaining the same concepts of target level and advanced level activities for zero trust.
In 2022, DoD released its zero trust strategy and roadmap outlining how the agency plans to fully implement a department-wide zero trust cybersecurity framework by fiscal year (FY) 2027. The department laid out high-level goals – cultural adoption, security and defense of DoD information systems, technology acceleration, and zero trust enablement – to achieve that zero trust vision.
To date, the department’s zero trust efforts have focused on meeting the FY2027 goal for IT, but over the past year, the push for a zero trust strategy for OT has grown. Resnick explained that this shift is in response to recent reports indicating that adversaries are increasingly targeting OT systems, rather than just IT-based ones.
“There is growing internal demand within the DoD asking, ‘What is the zero trust criteria for securing operational technology?’ In addition to OT, we also have to consider weapon systems and other critical infrastructure,” Resnick said.
He added that while his team plans to address these other critical defense systems, they are currently focused on developing guidance for OT.
Resnick explained that the coming guidance will differ from the original zero trust guidance “because OT operates in a different way and has different outcomes than IT.”
“So, the approach for OT will require different considerations. There won’t be 91 activities to reach target for OT like there are for IT; it may be 35 or 40 – I don’t know the exact number yet. But we’re working on this internally and externally, collaborating with vendors,” he added.
Resnick anticipates a summer 2025 delivery for the zero trust OT guidance, with the deadline for reaching target levels set for some time after 2027.
“We’re still working on the timeline, but that’s the next step in the zero trust process,” he said.
