DoD floats 2035 as goal for zero trust in weapons systems

Chief of the Department of Defense Zero Trust Portfolio Management Office Randy Resnick. (DoD photo by U.S. Air Force Tech. Sgt. Jack Sanders)

WASHINGTON — The Department of Defense is looking to meet a soft deadline of achieving zero-trust architecture for weapons systems by 2035, the director of the Zero Trust Office within the Pentagon’s Chief Information Office said today. 

This means building zero-trust architectures into systems like aircraft, tanks and ships. It will be no easy feat, Randy Resnick said, but he hopes it can be achieved within the next decade. 

“We’re talking about stuff that potentially is inside the skin of this, of the weapon system. That’s not our expertise. That would require us to work with other elements in the Pentagon, as well as the vendors who are designing these systems, especially ones new that haven’t been designed yet,” Resnick said during ATARC’s DoD Zero Trust Symposium. 

“We are far away. I’m suggesting fiscal [year 20]35 and beyond. That might actually be a 10-year effort or more.” 

Language in the 2022 National Defense Authorization Act mandated that the Pentagon focus on zero trust for information technology (IT), operational technology (OT) and weapons systems, with weapons systems being the last element to achieve zero trust implementation, according to the DoD’s Zero Trust Strategy.

In 2022, the Pentagon began planning to achieve full target zero trust implementation for the department’s IT systems by the end of FY27 — something Resnick said was a lofty but achievable goal in just five years from the time the planning began. 

“You could argue whether or not it’s too slow. But I could tell you, in the world’s biggest bureaucracy, where everybody has an opinion, five years is lightning speed for the type of thing that we’re describing needs to get done,” Resnick said.

As Breaking Defense previously reported, Resnick announced in November that his office was “shifting” its focus to implementing zero trust for OT due to increased adversarial attacks on critical infrastructure. Unlike IT that primarily deals with software and data, OT generally refers to systems and devices that control physical processes, like thermostats, water tanks and machinery on a factory floor. 

Resnick said today that official guidance on implementing zero trust for OT will be released by October of this year, but his office “could possibly even do that a little sooner” as it depends on what type of feedback is received once they start circulating the plans within the Pentagon in the coming weeks. Resnick previously said the zero trust guidance for OT would be released at the end of this summer. 

Further, he said he hopes zero trust for operational technology will be fully implemented by 2030, which will help inform guidance on weapons systems. He emphasized that though Congress mandated implementing zero trust for weapons systems, it may not make sense for every system to be zero trust compliant. 

“We need to start thinking and talking about how can we put elements of zero trust in it [weapons systems], and whether or not it even makes sense. It’s very green in the thinking,” Resnick said. “The spirit of wanting to do some more things to control those systems is there. We’re open minded.

“But we’re putting it down just as a placeholder, because I want everybody to understand that even in the commercial world, maybe not just for weapon systems, that ZT [zero trust] doesn’t end with IT.”