The Pentagon is drafting a new version of its cybersecurity blueprint, Zero Trust Strategy 2.0, expected to be released by the end of the year, according to Randy Resnick, director of the Zero Trust Portfolio Management Office.
The updated strategy will serve as a comprehensive refresh to the original 2022 Zero Trust Strategy, incorporating lessons learned over the past three years and expanding its focus to include operational technology (OT) – a crucial but often overlooked component of military infrastructure.
Speaking at the Billington CyberSecurity Summit on Sept. 10, Resnick said the Zero Trust Strategy 2.0 is expected to be released by December 2025 or January 2026. The strategy will offer a “global update” of the original plan and reflect changes in both technology and threat landscapes.
“It’s going to bring everything modernized and up to date and make it more focused,” he said. “You’re going to see communications coming out in the near future that cement that message.”
While the Department of Defense (DOD) – which the Trump administration has rebranded as the Department of War – awaits the release of the final strategy, it continues to ramp up implementation of zero trust principles, “laying critical groundwork ahead of the 2027 deadline.”
In 2022, DOD released its zero trust strategy and roadmap outlining how the agency plans to fully implement a department-wide zero trust cybersecurity framework by fiscal year (FY) 2027. The department laid out high-level goals – cultural adoption, security and defense of DoD information systems, technology acceleration, and zero trust enablement – to achieve that zero trust vision.
To reach this “target level” of zero trust, defense agencies must meet 91 capabilities – and a total of 152 for “advanced” zero trust.
With just two years left before the FY 2027 implementation deadline, Resnick emphasized that the department’s focus has shifted fully from strategy to action.
Resnick said his office is reviewing 57 third-quarter zero trust implementation plans from DOD components, which offer “much more fine-tuned, granular information” on what technologies they plan to buy, how they’ll use them, and where they’ll be deployed.
“We’re in a good place,” Resnick said. “We’re 24 months away from our deadline at the end of fiscal year 2027, and we’ve already defined what target and advanced zero trust levels are – so that’s no longer an issue. It’s time to buy and implement. It takes time to move users, develop rules, install systems. They’re going to need every bit of those 24 months.”
Additionally, Resnick explained that annual zero trust implementation plans from all DOD components are due by the end of October, a Congress-mandated deadline tied to the original 2022 strategy. Resnick said he expects those plans to show that components are ready to move into full-scale procurement and deployment.
Also underway is the development of a zero trust plan specifically for OT, marking a key step in broadening the strategy’s scope beyond traditional IT.
As the department looks to expand zero trust principles beyond traditional IT systems, Resnick said new guidance on securing OT will be released next month. The guidance will include what Resnick called a “fan chart” to guide implementation and define target and advanced levels of maturity.
While a firm deadline for OT zero trust security has not yet been set, Resnick noted that the year 2030 has been discussed in the past, though no final decision has been made.