November 4, 2025
Former Pentagon Deputy CIO Rob Carey joins Fed Gov Today with Francis Rose to talk about one of the Department of Defense’s toughest challenges — moving fast enough to adopt new technology while staying secure in an increasingly complex cyber environment. Carey, who also served as the Navy’s Chief Information Officer, explains that the Pentagon’s new cybersecurity risk management construct is not just another compliance framework. It’s a “cultural shift,” he says, in how the department approaches security and technology modernization.
Carey describes today’s cybersecurity landscape as a battle between increasing complexity and the desire for simplicity. “There’s no way to go from complexity to simplicity,” he says. Systems are more interconnected, data volumes are massive, and adversaries are
constantly evolving. Each new system added to a network brings more risk, and validating that a system meets security standards is a painstaking process. While automation and artificial intelligence can help speed up parts of that work, Carey emphasizes that AI is still an emerging capability in the federal cybersecurity space. “It’s showing its benefit and its value,” he says, “but it takes time to teach the models what normal looks like.”
He points out that both attackers and defenders are now using AI — a double-edged sword that raises the stakes for cybersecurity teams. While AI can automate routine security tasks, there’s still a need for human oversight. “You still have to have confidence that you’re getting what you expected,” Carey explains. Even as AI matures, humans remain critical in managing risk, determining access, and understanding the true security posture of a system.
Cost is another key factor. Carey says the Department of Defense, like any large organization, has to balance the level of protection it wants with what it can afford. Not every system requires the same level of security, and deciding how much to spend depends on the sensitivity of the data and the mission it supports. “The price for implementing ‘we want to secure everything’ is rather astronomical,” he notes. Instead, leaders have to evaluate what is worth protecting most and how much they are willing to spend to make it hard for adversaries to get in.
That same balance between ambition and practicality extends to cloud modernization. Carey discusses the next generation of the Joint Warfighting Cloud Capability (JWCC), a multi-vendor cloud contract designed to support DOD missions worldwide. He calls JWCC “an awesome opportunity” that provides a unified platform for buying cloud services with consistent cybersecurity protections. But as the department looks to the next iteration of JWCC, he warns that technology and requirements move faster than the acquisition process. “We can’t take years and years and years to let a contract to buy future-looking technology,” Carey says. “You’re buying what’s in the contract, not what you think you want.”
Carey’s message is clear: the Pentagon must continue to innovate while managing complexity and cost. From AI-assisted cybersecurity to flexible cloud architectures, the future depends on balancing speed with security — and that requires not just new technology, but new ways of thinking about how to buy, build, and protect it.
Please fill out the requested information below