Analysts Warn Compliance Goals May Outpace Real Security Outcomes
The U.S. Department of Defense’s push to overhaul its zero trust architecture is facing mounting pressure from other priorities including integrating artificial intelligence, cloud platforms and connected operational systems across the battlefield – raising questions about whether the Pentagon will meet its ambitious September 2027 deadline to secure its systems against attackers.
See Also: AI Impersonation Is the New Arms Race—Is Your Workforce Ready?
The convergence of emerging technology and the battlefield is forcing a broader shift in how the Pentagon approaches security, analysts told ISMG. The department first released its zero trust strategy and road map in 2022, pledging to move from perimeter-based defenses to a zero trust model in which trust is continuously evaluated across users, devices and data in real time. Recent congressional testimony from Pentagon Chief Information Officer Kirsten Davies detailed a sweeping effort to modernize the department’s technology ecosystem and cybersecurity program, with an emphasis on operational resilience, data integration and faster decision-making across military environments.
Davies told lawmakers the department is pursuing a more unified and risk-based approach to cybersecurity, designed to replace static compliance models with continuous monitoring and adaptive defense mechanisms. The shift comes as the Pentagon works to secure what experts describe as a sprawling and highly fragmented environment that includes legacy IT systems, modern cloud infrastructure and operational technology tied directly to mission systems.
“We are embarking on a bold transformation,” Davies said, noting that the Pentagon was “bringing back to the center all of enterprise IT and the cybersecurity program” to help eliminate duplicative spending, reduce technical debt, accelerate modernization and unleash innovation “from the core to the edge across our joint forces.”
At the center of the effort is a renewed push to operationalize zero trust principles across the Department of Defense environment, requiring structural changes in governance, architecture and execution across military services, combatant commands and defense agencies. Previous reports have said that the Defense Department has struggled to address persistent cybersecurity weaknesses, including gaps in asset visibility, system authorization and risk management processes (see: DOD Failing to Fix Critical Cybersecurity Gaps, Report Says).
Those challenges are also compounded by the scale of the department’s digital ecosystem and the growing reliance on interconnected systems – including those operated by contractors and partners across the defense industrial base. Recent policy changes reflect an effort to address the broader attack surface, with new cybersecurity requirements for defense contractors intended to strengthen baseline protections across the supply chain (see: Pentagon Issues Long-Awaited Contractor Cybersecurity Rule).
Congress has also increased funding for military cybersecurity programs, with the fiscal 2026 defense authorization bill allocating roughly $15 billion toward cyber initiatives tied to modernization and zero trust implementation (see: US Military Cyber Budget Jumps to $15B in 2026 NDAA).
But even with that investment, officials and analysts say the department faces deeper structural challenges that can’t be solved through funding alone – particularly around fragmented governance and uneven implementation across components.
Timothy Amerson, a veteran federal CISO with over 30 years of cybersecurity experience across the Pentagon and civilian branch agencies, said the department’s 2027 zero trust deadline is achievable – but may obscure the difference between compliance and real security outcomes.
“The 2027 deadline is achievable in name, but only if we are honest about what target level actually means,” Amerson told ISMG. “As of early 2025, only 14% of target-level zero trust activities had been completed across DoD’s 58 components.”
Amerson, who currently serves as federal CISO for GuidePoint Security, said the more significant risk is how success will be measured as the deadline approaches.
“What concerns me is whether those boxes represent genuine risk reduction or compliance theater,” he said, pointing to persistent gaps in identity, data and legacy infrastructure as key friction points, particularly as the department works to implement federated identity systems and consistent data classification across its environment. “Federated identity only protects you when every node is enrolled, and DoD is not there yet,” he said.
Without consistent data tagging, analysts also noted that zero trust architectures lack the context needed to enforce policy effectively.
James Winebrenner, CEO of Elisity, said the complexity of the defense environment makes achieving a mature zero trust posture fundamentally different from commercial enterprise deployments.
“The 2027 target is ambitious, and the ambition is exactly right,” Winebrenner told ISMG. “But when you’re talking about securing millions of endpoints across air-gapped networks, legacy OT infrastructure, coalition environments and edge deployments spanning every domain, warfare ‘mature’ means something categorically different from what it means in a commercial enterprise.”
Winebrenner pointed to early successes such as the Navy’s Flank Speed program and DISA’s Thunderdome initiative as evidence that zero trust can be implemented effectively within defined environments. But scaling those models across the full department presents a significantly greater challenge, particularly given that only a small portion of zero trust activities had been completed as of early 2025.
Winebrenner also told ISMG that one of the most persistent gaps is the disconnect between identity systems and network-level enforcement. That gap is especially pronounced in operational technology environments, analysts noted, where legacy systems and extended modernization timelines complicate enforcement and extend risk exposure beyond the 2027 deadline.
Davies told lawmakers the department is working to centralize oversight of enterprise IT and cybersecurity functions under the CIO, streamline requirements and standardize approaches across the enterprise as part of its broader transformation strategy.
The effort also includes closer integration between cybersecurity operations and mission systems, as well as initiatives to improve interoperability with allies and partners through shared environments designed for secure data exchange.
The department is also expanding its cyber workforce authorities and training programs to address persistent talent shortages and support the transition to more advanced security models, according to Davies.
The Department of Defense did not respond to a request for comment.