The U.S. Department of Defense (DoD) is working towards setting up a zero trust (ZT) Portfolio Management Office (PfMO) that will lead to coordinating, synchronizing, and advancing the DoD Enterprise into a ZT cybersecurity architecture, modernizing the department’s ability to prevent malicious actors from exploiting DoD data and resources. In a memorandum for senior Pentagon leadership, defense agency, and DoD field activity directors, Katherine Arrington, performing the duties of DoD Chief Information Officer, also created the role of chief zero trust officer to lead strategy, align efforts, and advise on resource priorities to support department-wide adoption in line with the DoD Zero Trust Strategy.
Applicable to all DoD Components, including the Office of the Secretary of Defense, the Military Departments (including the U.S. Coast Guard, even when operating under the Department of Homeland Security), the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office of Inspector General, the Defense Agencies, and DoD Field Activities, Arrington mentioned that the memo takes effect on July 17, this year, and will be converted into a formal DoD instruction. It is set to expire on July 17, next year.
The ZT PfMO is the overall DoD zero trust lead to coordinate, synchronize, and advance the DoD Enterprise into a zero trust cybersecurity architecture, modernizing the DoD’s ability to prevent malicious actors from exploiting the department’s data and resources.
The Chief Zero Trust (ZT) Officer holds authorities delegated by the DoD Chief Information Officer (CIO) to carry out all assigned missions and responsibilities. This role operates under the guidance of the DoD Cyber Council and the DoD ZT Executive Committee (EXCOM), while elevating key decisions as needed across all aspects of doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy (DOTMLPF-P) affected by Zero Trust.
The Chief ZT Officer sets the direction, strategy, implementation milestones, and processes for DoD-wide execution of the Zero Trust Strategy. They are responsible for developing, issuing, and tracking governance decisions, processes, and guidance related to Zero Trust across the department, including roles and responsibilities. When necessary, the Chief ZT Officer also develops DoD policy and implementation guidance for CIO action following DoD Instruction 5025.01.
In addition, the Chief ZT Officer coordinates department-wide Zero Trust efforts and supports the DoD Cyber Council on all matters related to implementation. All guidance issued by the ZT Portfolio Management Office must align with existing directives from the DoD CIO and, when applicable, the Director of National Intelligence.
The Chief ZT Officer also serves as the lead authority for any Zero Trust-related tasks, engagements, briefings, or reports to or from Congress. The role includes oversight of Zero Trust resourcing and the recommendation of funding priorities across DoD Components to ensure successful execution of the DoD ZT Strategy.
Lastly, the Chief ZT Officer leads coordination and accelerates Zero Trust adoption across the department in collaboration with key internal and external stakeholders.
The responsibilities of the Chief Zero Trust Officer include overseeing the development and execution of the DoD’s ZT strategy and planning efforts. The officer will also be responsible for publishing and updating the DoD Zero Trust Strategy, including associated execution plans and roadmaps, as needed. This role also reviews and approves zero trust implementation plans (I-Plans) and roadmaps submitted by DoD Components.
The Chief ZT Officer sets strategic and execution milestones for the entire department to reach both target and advanced Zero Trust capabilities. To support these goals, the officer ensures that Zero Trust-related budgets are properly aligned with achieving the target level of ZT across the DoD before the end of fiscal year 2027.
The officer also prioritizes Zero Trust funding within the DoD CIO’s existing Capability Programming Guidance, under Section 11319 of Title 40 of the U.S. Code and other applicable policies. When needed, the Chief ZT Officer works with the Under Secretary of Defense (Comptroller)/Chief Financial Officer and the Director of Cost Assessment and Program Evaluation to reprioritize funding to meet the department’s ZT targets.
In addition, the Chief ZT Officer supports annual funding assessments, advises on DoD Component budget planning for ZT initiatives, and maintains visibility into department-wide budget actions that affect Zero Trust adoption. The officer also supports the DoD Cyber Council and the DoD ZT Executive Committee on matters related to zero trust implementation.
The Chief ZT Officer is responsible for leading the governance and oversight of the DoD’s Zero Trust portfolio and managing associated risks across the enterprise. This includes defining, coordinating, and publishing department-wide Zero Trust guidance as needed. The officer manages and prioritizes the portfolio of Zero Trust initiatives and actions aligned with the DoD ZT Strategy, ensuring consistent execution across Components.
They identify and monitor enterprise-level Zero Trust risks and lead the development of mitigation strategies. In support of this, the Chief ZT Officer develops, issues, and tracks governance decisions, including the definition of roles, responsibilities, and operational processes for zero trust implementation.
The role also involves defining and publishing metrics that measure strategy execution, capability development, and activity performance across the enterprise. The Chief ZT Officer is responsible for approving and releasing official DoD Zero Trust assessment frameworks and guidance documents.
Progress tracking is a critical function, with the officer verifying that DoD Components are meeting the requirements outlined in Zero Trust strategies, policies, and standards. Additionally, the officer monitors federal regulations, directives, and laws that may affect the implementation of the DoD Zero Trust Strategy and ensures compliance across the department.
The Chief ZT Officer provides technical leadership and support for the development, evaluation, and integration of Zero Trust capabilities across the DoD. This includes offering technical advisory services and support for pilot programs and exercises, including the development of test plans to assess emerging ZT capabilities and solutions. The officer is responsible for defining and publishing formal DoD Zero Trust technical requirements.
As part of their oversight, the Chief ZT Officer reviews and contributes to the development of DoD reference architectures related to zero trust, including alignment with broader cybersecurity and interrelated design frameworks. They ensure that zero trust architectures developed by DoD Components and mission partners are interoperable and aligned with department-wide goals. The officer also evaluates technical evidence submitted by DoD Components to verify progress toward achieving both target and advanced Zero Trust capabilities.
The Chief ZT Officer is also responsible for publishing tailored Zero Trust communications for both internal and external DoD audiences, ensuring consistent messaging and alignment with the department’s strategic objectives. The officer leads the development and sustainment of a DoD-wide Zero Trust community of practice to foster collaboration, knowledge sharing, and best practices across Components. They oversee and contribute to the design and rollout of Zero Trust training programs, ensuring personnel are equipped to support ZT implementation effectively.
To drive coordination, the Chief ZT Officer actively consults and collaborates with key stakeholders and partners involved in Zero Trust adoption. The role includes developing, issuing, updating, and tracking governance decisions—defining roles, responsibilities, and processes critical to the successful execution of the DoD’s ZT Strategy. Additionally, the officer formulates Zero Trust policy recommendations for review and approval by the DoD Chief Information Officer.
The memo identified that the DoD CIO provides strategic leadership for aligning all current and future Zero Trust-related cybersecurity efforts, investments, and initiatives across the full spectrum of doctrine, organization, training, materiel, leadership and education, personnel, facilities, and policy (DOTMLPF-P). The CIO serves as co-chair of the DoD Zero Trust Executive Committee (EXCOM), overseeing implementation, coordination, and alignment of the DoD Zero Trust Strategy across the Department and the Intelligence Community, leveraging existing committee structures.
The CIO is responsible for appointing the Chief Zero Trust Officer, a civilian at the Senior Executive Service level or equivalent, to carry out necessary duties. In coordination with the Commander of U.S. Cyber Command, the CIO oversees execution of the Zero Trust Strategy and conducts annual reviews and assessments of DoD Component-level Zero Trust Implementation Plans (I-Plans). These reviews evaluate how effectively the Zero Trust principles, architecture, and framework are applied across all networks, systems, and infrastructure, including Defense Critical Infrastructure and weapons systems.
The CIO also assesses the feasibility, executability, acceptability, and anticipated cybersecurity outcomes of these implementation plans, based on defined Zero Trust capabilities and outcome metrics. To monitor progress, the CIO uses the DoD Cybersecurity Hardening Scorecard, available on the Secure Internet Protocol Router Network (SIPRNet), to track implementation milestones and assess security outcomes tied to the Zero Trust Strategy. The CIO also leverages additional reporting mechanisms.
In May, the DoD detailed an initiative, ‘Accelerating Secure Software,’ and kicked off a 90-day sprint to develop the Software Fast Track (SWFT) framework and implementation plan. The move will lead the Department’s adoption of best practices to obtain, develop, and field secure software. The SWFT Initiative will define clear, specific cybersecurity and Supply Chain Risk Management (SCRM) requirements; rigorous software security verification processes; secure information sharing mechanisms; and federal government-led risk determinations to expedite the cybersecurity authorizations for rapid software adoption.
