As the Department of Defense (DOD) – which the Trump administration has rebranded to the Department of War – pushes to meet its fiscal year 2027 zero trust deadline, two major shifts over the past year have reshaped how the DOD is getting there.
Jeanette Duncan, chief information officer (CIO) and principal authorizing official at the Defense Counterintelligence and Security Agency (DCSA), detailed those shifts Thursday at the Cybersecurity Futures event hosted by ATARC, NextGov/FCW, and Washington Technology.
“We’ve been on this [zero trust] journey for a number of years now … but not everybody moved out at the same rate that we did,” Duncan said. “And two things happened in this past year to help the Department of War as a whole and the … defense field [activities] to try to get everybody over the line and meet the 2027 date.”
First, Duncan said the department reassigned responsibility for enabling network access without common access cards (CAC cards) to a separate defense field activity. She did not specify which one.
That change affects agencies such as DCSA, which support users who cannot use CAC cards – including retirees, family members, and individuals new to government service who need system access to complete security clearance processes. DCSA handles roughly 1.4 million unique logons, according to Duncan.
“We’ve got to make sure that every one of those people … can access it,” Duncan said.
The second major shift came when the Defense Information Systems Agency received permission to accelerate the migration of all Fourth Estate agencies to zero trust for network operations. Fourth Estate agencies are not part of military services or combatant commands.
“So, there’s a lot of movement going on in the background,” she said. “Everybody wants to get to zero trust. Everybody wants to do it right.” But with agencies at different stages and running different identity tools and legacy systems, Duncan said “you’re going to need a hybrid because not everybody’s on the cloud.”
To manage both the technical and budget pressures of that transition, Duncan said her team is consolidating tools and reassessing capabilities.
“Don’t just look at what we need to do for ICAM. Look at where my trade space is,” she said, adding DCSA has been “moving away from some of the prior tool sets … consolidating on others that will help us be more mature in the zero trust space.”