The SolarWinds breach was more than just another cyber incident—it was a watershed moment that fundamentally reshaped how the federal government, and particularly the Department of Defense (DoD), thought about security. The attack revealed that traditional perimeter defenses were no longer enough to safeguard the digital crown jewels of the U.S. military.
Leaders like then-Assistant Air Force Secretary Will Roper warned that the very software factories driving digital modernization had themselves become targets. In the aftermath, the DoD made a decisive move: the adoption of Zero Trust as its guiding cybersecurity philosophy.
What was once a conversation about principles has now become one about execution. The DoD’s ongoing journey illustrates how an abstract idea is being transformed into tactical reality across one of the world’s most complex digital ecosystems.
The Old World: When the Castle Walls Crumbled
For decades, the DoD relied on what was commonly referred to as the “castle-and-moat” defense. The idea was simple: protect the network perimeter, and once someone was inside, trust was largely assumed.
Vice Adm. Nancy Norton of the Defense Information Systems Agency (DISA) explained the inherent risk: “If our adversaries make it across the moat, they have free reign inside the castle.”
The SolarWinds incident proved this vulnerability all too clearly. Adversaries bypassed the perimeter by compromising credentials, allowing them to operate undetected within trusted networks. The once-dominant paradigm of certifying systems as “impregnable” collapsed under the weight of modern threats.
The solution was a radical rethink—Zero Trust, summed up in a simple but powerful mantra: never trust, always verify.
The Zero Trust Mandate: Turning Principles into Protection
Zero Trust is far more than a cybersecurity framework—it represents a paradigm shift in how organizations approach trust, risk, and resilience. Where traditional models assumed safety within the network perimeter, Zero Trust assumes the opposite: that no device, user, or connection can be trusted without verification. For the Department of Defense (DoD), this shift is not just technical but cultural, demanding new ways of thinking about digital defense.
Zero Trust is expected to fundamentally replace the Defense Department’s traditional network-centric security model with a data-centric approach. This shift marks a paradigm change in how the DoD views cyber defense—prioritizing the protection of data and critical resources over the assumption that networks can be trusted. As Vice Adm. Nancy Norton explained, under the legacy defense-in-depth model, the goal was to make the DoD Information Network (DODIN) a safe and trusted environment. Zero Trust, by contrast, begins from the premise that all networks, whether internal or external, are inherently hostile. Access is denied by default and permitted only by strict exception—a reversal of the old assumption that trusted insiders could move freely once inside the perimeter. This is not just a technical upgrade, but a redefinition of how the department secures its cyber domain.
1. Assuming a Hostile Environment
The cornerstone of Zero Trust is the belief that no network is inherently safe. Whether a request originates inside or outside organizational boundaries, it must be treated with equal suspicion. This philosophy directly challenges decades of reliance on internal trust zones.
As Vice Adm. Nancy Norton of the Defense Information Systems Agency (DISA) observed, “We will always assume that our internal networks are as hostile as external networks.” By treating every connection as potentially compromised, the DoD eliminates blind spots where adversaries could once operate freely after breaching the perimeter.
2. Verifying Explicitly
Zero Trust demands constant verification of identity and intent. Every user, device, and application interaction is authenticated in real time, relying on strong identity management, multifactor authentication, and behavioral analytics.
This is more than just a login check. Access decisions are based on dynamic, risk-aware policies that adapt to context—such as device health, geolocation, or unusual activity. Nothing is implicitly trusted, and every transaction is logged, inspected, and continuously monitored. The goal is clear: even if attackers steal valid credentials, they cannot move undetected through the network.
3. Segmenting Relentlessly
If verification is the guard at every door, segmentation is the architecture of the building itself. By breaking systems into smaller, isolated units, Zero Trust ensures that a breach in one area does not grant access to the entire enterprise.
This principle mirrors naval design, where ships are divided into watertight compartments. If one section floods, the vessel stays afloat. Similarly, Zero Trust segmentation stops attackers from moving laterally across networks, limiting the blast radius of a breach and buying defenders time to respond.
4. Beyond Technology: Policies and Culture
Zero Trust is not a plug-and-play solution. It requires more than deploying new firewalls or access controls—it is a fundamental rethinking of security policies and organizational culture.
Policies must be rewritten to enforce least-privilege access, while leaders must drive cultural change so that constant verification becomes second nature rather than an inconvenience. For the DoD, this means re-educating thousands of personnel, from senior commanders to everyday system users, to view security as everyone’s responsibility.
5. The DoD’s Architectural Transformation
Implementing Zero Trust at the scale of the DoD is a monumental undertaking. It is not simply about upgrading tools—it is about redesigning the very architecture of military networks. Legacy systems must be modernized, policies must be standardized, and interoperability across services must be ensured.
This wholesale transformation touches everything from software factories to battlefield communications. It is both a technological and cultural revolution—one that requires persistence, coordination, and unwavering commitment. For the DoD, adopting Zero Trust is not optional; it is the only viable path to securing the future digital battlespace.
The urgency behind this transformation is clear. The Defense Department faces relentless cyber assaults, with state and non-state actors generating more than a billion cyber events each month across its global networks. Every service branch, combatant command, and warfighting domain presents a potential target. The rapid expansion of telework during the COVID-19 pandemic only widened the attack surface, giving adversaries more opportunities to exploit vulnerabilities. These pressures have accelerated the DoD’s embrace of Zero Trust as not only a modernization initiative but a strategic necessity. In this contested environment, where adversaries probe constantly for weaknesses, Zero Trust offers the resilience needed to secure the digital backbone of U.S. defense operations.
The Air Force Takes the Lead
The move from theory to practice has accelerated in 2024. In October, the Air Force officially released its Zero Trust strategy, offering one of the clearest examples of how the military is operationalizing this vision.
The strategy lays out an ambitious timeline to achieve “intermediate maturity” by FY28, but progress is already visible. According to Justin Stolpman, director of the Air Force’s Zero Trust Functional Management Office, the service has rolled out micro-segmentation across 80% of its NIPRNet server endpoints.
“This is giving us never-before-seen visibility,” Stolpman said, highlighting how new access controls are illuminating once-hidden machine-to-machine communications.
The importance of segmentation was underscored by Gary Barlet, Public Sector CTO at Illumio: “Because you’re putting all these little rings of defenses in place, it makes it harder for an adversary to move through your enterprise. Instead of just one large open building where they can wander around at will, every door’s locked.”
Air Force Zero Trust Rollout: A Timeline
The journey of the Air Force toward Zero Trust has not been sudden, but rather a deliberate progression shaped by lessons learned and strategic milestones. Each phase represents a significant step in reshaping how the service protects its digital assets and operational networks.
2020 – The SolarWinds Breach
The SolarWinds attack served as a pivotal wake-up call for both the Department of Defense and the Air Force. The breach exposed glaring weaknesses in perimeter-based defense models and demonstrated how adversaries could bypass traditional protections to operate undetected within trusted systems. For the Air Force, this incident made it abundantly clear that incremental security patches were not enough; what was needed was a complete rethinking of cybersecurity architecture.
2021 – DoD Issues the Zero Trust Mandate
In response to the growing threat landscape, the Department of Defense published its Zero Trust Reference Architecture in 2021. This mandate codified “never trust, always verify” as the cornerstone of future cybersecurity efforts across the services. The Air Force, like its sister branches, was tasked with aligning its digital defense strategies to this new standard, setting the stage for a broader transformation.
2022–2023 – Building the Foundation
The following years were focused on laying the groundwork. The Air Force launched pilot programs to experiment with micro-segmentation and new access controls, testing their effectiveness in real-world scenarios. During this period, the service also established key organizational structures, such as the Zero Trust Functional Management Office, to oversee and coordinate implementation. These foundational efforts provided the technical insights and governance mechanisms necessary for scaling Zero Trust across larger networks.
October 2024 – The Official Strategy
In October 2024, the Air Force released its formal Zero Trust Strategy, marking a transition from experimentation to execution. The plan laid out a clear path to achieving “intermediate maturity” by FY28, with measurable milestones along the way. Notably, the service had already deployed micro-segmentation on 80% of its NIPRNet server endpoints, a major achievement that gave commanders unprecedented visibility into machine-to-machine communications and reduced opportunities for lateral movement by adversaries.
2028 – The Targeted Maturity Goal
Looking ahead, the Air Force has set FY28 as the benchmark for reaching full intermediate maturity in its Zero Trust adoption. By this point, the service expects to have fully integrated Zero Trust practices across its networks, providing stronger resilience against both insider threats and external adversaries. The goal is not just technical compliance, but a cultural and operational shift that embeds security into every digital transaction.
This timeline underscores that the Air Force’s transition to Zero Trust is deliberate, incremental, and mission-critical. It reflects the immense scale of change required to adapt one of the world’s largest military organizations to a new security paradigm—one where verification, segmentation, and continuous vigilance form the backbone of defense.
The Challenges Ahead: Culture, Complexity, and Coordination
The Air Force’s Zero Trust strategy is ambitious, but it is also realistic about the roadblocks ahead. In fact, the strategy openly acknowledges that the “greatest risk” lies not in technology but in institutional resistance to change. For an organization as vast and hierarchical as the Department of Defense, shifting mindsets and processes can be just as difficult as modernizing code or deploying new tools.
The 2020 SolarWinds breach serves as the origin point of this journey. By compromising a trusted software update, attackers were able to infiltrate U.S. government networks and move laterally with alarming ease. It was a stark reminder that implicit trust—the cornerstone of the castle-and-moat model—was no longer viable. For the Air Force, SolarWinds was not just a wake-up call; it became the catalyst for accelerating a Zero Trust agenda that would evolve into pilot programs, new organizational structures, and ultimately, the 2024 Air Force Zero Trust strategy.
One of the most formidable challenges is the weight of legacy systems. Many DoD networks and applications were built long before concepts like micro-segmentation or continuous authentication existed. These platforms were never designed for the kind of granular controls that Zero Trust requires. Mapping out how these older systems interact, identifying hidden dependencies, and reconfiguring them for Zero Trust is a painstaking and resource-intensive process. In some cases, even basic systems—such as logistics applications that still run on mainframes—need custom workarounds just to integrate with modern identity and access controls.
One key challenge for the DoD’s shift to Zero Trust architecture has been the historically fragmented standards landscape—a problem compounded by the department’s federated IT structure. While earlier efforts relied on internal frameworks and guidance, there’s now substantial momentum toward standardization. The Department of Defense’s Zero Trust Reference Architecture aligns closely with NIST SP 800-207, providing a common lexicon and architectural baseline. More recently, NIST expanded the ecosystem by publishing SP 1800-35, which delivers concrete, example-driven implementations of Zero Trust using commercial off-the-shelf tools. These additions mean that while interoperability challenges remain, they no longer stall progress, and the DoD is actively building toward a more unified, standards-aligned future.
The standards environment continues to evolve. Federal agencies now have access not just to DoD-specific models, but also broader Zero Trust maturity frameworks such as CISA’s Zero Trust Maturity Model and the Federal Zero Trust Data Security Guide, which help align definitions and metrics across sectors. At the same time, procurement guidance like the Zero Trust Buyer’s Guide gives agencies clearer pathways to adopt compliant technologies. Together, these resources reduce friction from fragmented implementation approaches and create a foundation for interoperability—enabling the DoD to build a more harmonious, scalable Zero Trust environment even amid the complexity of its global, federated networks.
Zero Trust also represents a cultural transformation. For decades, military and civilian personnel were trained to think of the perimeter as the security barrier. Once inside, trust was assumed, and access was broad. The new reality demands the opposite: continuous verification. Every login, every data request, and every device check is scrutinized, regardless of rank or role. For airmen accustomed to speed and efficiency, these new safeguards can feel like friction. Getting buy-in across all levels—from senior leadership to the warfighter on the ground—is critical. Without cultural acceptance, even the most advanced technical tools will struggle to succeed.
Interoperability adds another layer of difficulty. The DoD is not a single, unified IT environment—it is a federated ecosystem of services, commands, and agencies, each with its own systems and standards. The Defense Information Systems Agency (DISA) has highlighted the lack of universal Zero Trust standards as a barrier to seamless integration. For example, the Air Force’s efforts to implement identity management solutions don’t always align perfectly with similar efforts underway in the Navy or Army, creating potential security blind spots. To address this, the DoD is working closely with the National Institute of Standards and Technology (NIST) to establish frameworks that can ensure consistency across services.
Ultimately, Zero Trust is as much about governance and policy as it is about firewalls, micro-segmentation, and monitoring tools. The challenge lies in ensuring that new rules for access, verification, and segmentation are enforced uniformly across a massive and diverse organization. Policies must evolve in tandem with technology, ensuring accountability while also providing flexibility for mission-critical operations. A system designed to stop unauthorized access must also allow rapid clearance in a combat scenario, where seconds matter.
Taken together, these challenges underscore a central truth: Zero Trust adoption is not a matter of flipping a switch. It is a long-term transformation that requires balancing cultural change, technical modernization, and operational readiness. The Air Force recognizes that progress will be incremental, but also that the stakes are too high to delay. Cyber adversaries are adaptive, and every gap—whether cultural, technical, or organizational—presents an opportunity for exploitation. By confronting these obstacles head-on, the Air Force is positioning itself to build a stronger, more resilient cybersecurity posture for the future battlespace.
Trusted Public-Private Partnership
The success of Zero Trust within the Department of Defense will depend not only on internal reforms but also on strong collaboration with the commercial sector. Industry participation in NIST’s Zero Trust forums has been strongly encouraged, with leaders advising companies to align closely with emerging standards. The goal is straightforward: adopt the standards in their purest form, without adding proprietary variations or “twists” that could create interoperability issues when military systems are integrated at scale. In a defense environment where multiple vendors and platforms must seamlessly work together, consistency is critical.
Like the DoD itself, the Defense Information Systems Agency (DISA) relies heavily on commercial technologies to implement Zero Trust principles. Recognizing this, DISA has opened multiple pathways for companies to engage directly. Through its Small Business Office and the Emerging Technologies Directorate, industry partners can provide technical briefings and showcase new capabilities. The directorate also hosts weekly technical exchange meetings with the DoD’s Chief Information Officer, creating a regular forum where innovative solutions can be aligned with the department’s strategic Zero Trust goals. These touchpoints ensure that the adoption of Zero Trust is not just a government-driven initiative, but a shared mission between public and private sectors.
Conclusion: A No-Fail Mission in the Digital Battlespace
For the Department of Defense, the adoption of Zero Trust is not a matter of choice—it is a matter of survival. The SolarWinds breach revealed with brutal clarity how adversaries exploit blind trust and unmonitored lateral movement. What was once considered a strong perimeter defense has proven porous, and the stakes have only risen as remote work, distributed operations, and supply chain complexity reshape the modern battlespace.
Cybersecurity has become a frontline mission, standing shoulder-to-shoulder with air superiority, logistics, and supply chain resilience. No fighter jet or advanced weapon system can function effectively if the digital infrastructure behind it is compromised. For the Air Force in particular, whose operations depend on real-time data and interconnected networks, defending the digital domain is as vital as maintaining dominance in the skies.
The message is clear: the age of trusted internal networks is over. The future will be defined by explicit verification at every access point, relentless segmentation to contain breaches, and the constant assumption that adversaries are already probing for weaknesses. These principles are not abstract theories—they are now guiding daily practice across the Air Force’s networks as Zero Trust matures from concept to reality.
This is, at its core, a no-fail mission. Failure would not simply mean data loss; it could undermine military readiness, operational advantage, and national security. Success, however, promises a force that is more secure, more resilient, and more data-dominant—a military prepared not only to fight in the skies but also to prevail in the contested, ever-shifting terrain of the digital battlespace.