DoD Zero Trust Strategy 2.0 Extends to OT and Weapon Systems
DoD Zero Trust Strategy 2.0, published in March 2026, expanded the scope of the department's zero trust mandate. Operational technology, IoT, defense critical infrastructure, and weapon systems are now in scope alongside the traditional IT enterprise. The data pillar is the integration point for all six new surfaces.
The 2022 strategy applied to enterprise networks and identity. Strategy 2.0 inherits the original 91 FY27 capability outcomes and adds 61 advanced FY32 outcomes, applying the full set across deployment surfaces that had been carved out before. Defense primes are scrambling to assess the impact on weapon system program offices.
What changed in scope
The original 2022 strategy treated tactical and weapon systems as out-of-scope. Strategy 2.0 closes that carve-out. Programs across PEO Aviation, PEO Soldier, PEO C3T, and similar offices now inherit the same target-level maturity expectations as enterprise IT.
The change is not rhetorical. FY27 acquisition packages reference Strategy 2.0 capability outcomes by number. Weapon system program offices that had been planning around perimeter-based controls now have a documented gap against pillars that assume cryptographic enforcement at the data layer.
The data pillar problem
The data pillar's target-level outcomes include data tagging, data monitoring and sensing, data encryption and rights management, and data loss prevention. Each outcome assumes the data object carries enforceable policy. On enterprise IT, that assumption maps to existing storage and email products. On a weapon system bus or a forward-edge tactical node, it does not.
Forward-edge deployments share three characteristics that make perimeter-based zero trust controls fail: intermittent connectivity, constrained compute, and adversary proximity. Identity-aware proxies and continuous authentication assume a control plane the deployment cannot reach. The data pillar's outcomes do not assume that. Cryptographic enforcement on the object survives disconnected operation, because the object enforces policy through its own metadata, not through a session.
What survives in OT and weapon systems
Data-centric zero trust binds policy to the object using attribute-based access control (ABAC) at the policy enforcement point (PEP). Encryption uses post-quantum key encapsulation through ML-KEM-768 or ML-KEM-1024 depending on classification. Merkle-tree lineage records every read, write, and forward in a tamper-evident audit trail.
This pattern is the architectural answer to the new scope. A weapon system bus running disconnected for an hour, a day, or a deployment cycle still enforces classification on every data object. When the system reconnects, lineage replays into the central audit. The data pillar's target-level outcomes are met without a synchronous policy decision point.
What program offices should do now
Map current OT and weapon system data flows against the 91 FY27 capability outcomes and the 61 FY32 advanced outcomes from the DoD Zero Trust Overlays. Identify which outcomes assume control-plane reachability. Those are the outcomes that perimeter-based zero trust products cannot satisfy on a tactical node, and they are the ones data-centric architectures answer.
DoD ZT Portfolio Management Office statements from Randy Resnick frame this transition as a sequence, not a switch. Programs that begin the data pillar work in FY26 against ABAC, post-quantum key encapsulation, and Merkle-tree lineage are positioned for the FY27 capability outcomes deadline. Programs that wait inherit a procurement gap that procurement language is already starting to document.
The strategy is not optional
Strategy 2.0 is a directive, not guidance. The capability outcomes are tracked in the DoD Zero Trust Overlays, which assign 152 outcomes across seven pillars and report progress against each. DISA Thunderdome scored 152/152 on network and identity controls under the original strategy. That kind of measurement now applies to OT and weapon systems too. The data pillar is where most program offices still carry the most debt.