May 15, 2025
Subscribe and listen to the Fed Gov Today Podcast anytime on Apple Podcasts, Spotify, or at FedGovToday.com.
Will Schmidt, Technical Portfolio Management Division Chief in the Zero Trust Program Management Office (PMO) at the
Department of Defense (DoD), shares insights on how the department is transforming its cybersecurity strategy through a pragmatic, collaborative, and vendor-agnostic approach to zero trust.
He says the DoD’s zero trust journey isn’t tied to a one-size-fits-all vendor solution. Instead, Schmidt explains that his office has categorized solutions into three main courses of action (COAs). The first, COA1, focuses on “legacy uplift” solutions like Thunderdome. COA2 involves commercial cloud service providers such as Microsoft, Google, Amazon, and Oracle. COA3 targets standalone government-owned and operated environments, with Dell as a current example.
Each selected solution undergoes a comprehensive functional assessment to determine whether it can meet either target or advanced levels of zero trust. Schmidt’s team uses a framework of 91 target activities to gauge effectiveness, aligning each environment with clearly defined outcomes instead of rigid configurations.
The evaluation process is highly interactive. Schmidt’s office partners with vendors and DoD components through kickoff meetings and detailed assessments. A key part of this collaboration is the use of a “purple team” approach—blending red teams (attackers) and blue teams (defenders). These teams test the system's resilience by simulating threats, fixing vulnerabilities, and reassessing outcomes.
This iterative process ensures the infrastructure becomes increasingly cyber-hardened with each round of testing. The ultimate goal is to determine whether a system is capable of reaching zero trust targets by emphasizing outcomes such as identity validation, access control, and least privilege principles.
Having served nearly two years in the role, Schmidt notes a significant evolution in the DoD's approach. Early assessments, like the “flank speed” project, were learning experiences. Over time, his office refined the process, enabling faster, more effective evaluations and setting clearer expectations with vendors.
These lessons have allowed Schmidt’s team to develop a shared language around zero trust outcomes, making it easier for various DoD components to understand and adopt consistent standards. This outcome-focused approach fosters flexibility, allowing each organization to achieve the same security goals via different methods, depending on their unique environments.
With three vetted solutions already in place—one for each COA—the Zero Trust PMO isn’t slowing down. Schmidt highlights that additional solutions from major cloud providers are in the pipeline, and some may even be repurposed across COAs. By the end of the year, the team expects more options to be available, encouraging widespread implementation across the department.
As Schmidt puts it, the aim is to stay ahead of adversaries not by enforcing rigid technical requirements, but by focusing on resilient, adaptable outcomes. This forward-thinking, team-based approach reflects the DoD’s commitment to building a secure digital future—one trusted connection at a time.
Please fill out the requested information below