On February 26, 2025, the Department of Defense reiterated the critical importance of a Zero Trust (ZT) cybersecurity model, explicitly calling out how outdated security approaches are exposing U.S. warfighters and sensitive defense systems to espionage and theft.
Many experts, policymakers, and solution providers—ourselves included—have warned for years that our adversaries will target everything from the Department of Defense’s core infrastructure to the systems maintained by contractors and technology vendors.
Executive Order 14028 of 2021 laid out clear directives to improve the nation’s cybersecurity, including advancing zero trust architectures. Yet here we are, frustrated by the limited progress that has been made since then.
A New Era of Persistent Threat
We have seen, in parallel, mounting evidence that adversarial nations freely leverage stolen or copied U.S. data to inform their own weapons development. Perhaps the most stark example is China’s new J-35 fighter program, whose plans closely resemble the U.S.-developed F-35’s next-gen aircraft designs. (See: Air & Space Forces Association report.)
It’s glaring proof that we need to implement zero trust measures that protect intellectual property, maintain national security, and guard the safety of our warfighters at home and abroad.
Zero Trust Challenges and the Push for Federated Identity
Two foundational pillars of any successful zero trust strategy are robust data protections and centralized identity services. Unfortunately, efforts such as DISA’s Thunderdome—which promised identity-centric access and a federated identity solution—seem to be stuck.
More than two years after a successful prototype, we still do not have an end-to-end federated identity that enables seamless, strongly authenticated, and context-based access control. The continuity of advocating zero trust across two administrations (with the Trump administration continuing to stress its importance) has not yet translated into swift, enterprise-wide progress.
The Data Pillar: Tagging as a Cornerstone; Persistent protection as the finish line.
Equally critical to realizing a true zero trust architecture is the “data pillar,” in which organizations classify, tag, and protect data based on sensitivity. As the CISA Zero Trust Maturity Model describes, data tagging and labeling significantly enhance an agency’s ability to apply granular access, mitigating unauthorized leakage.
We have previously covered the importance of open standards to drive interoperability and avoid vendor lock-in. We believe that the Zero Trust Data Format (ZTDF) that has been endorsed by the NATO Combined Communications Electronics Board and the IC-TDF standard endorsed by the Office of the Director of National Intelligence with adaptations to specifically address challenges unique to the intelligence community can be the basis of standardization and look forward to endorsement from the Department of Defense.
Yet, many federal agencies and their partners still struggle to implement consistent classification schemas and adopt the data-centric protections outlined in the Executive Order.
Completing this foundational step is essential—without robust metadata tagging and labeling, agencies cannot progress to enterprise-wide zero trust enforcement and gain the needed persistent protection provided by a strong encryption based solution.
Opportunities for Commercial Solutions
Adopting modern, proven commercial solutions for identity and access management—such as Okta, PingFederate, Sailpoint, RadiantLogic that are also based on the prevailing OpenID Connect 2.0 standard can streamline progress toward zero trust. We remain enthusiastic about how industry partnerships can accelerate identity federation, device posture enforcement, and dynamic, context-based access.
Virtru also sees the value of bridging commercial innovations with mission-specific requirements. Our Data Security Platform, built on OpenTDF, is one such approach, enabling persistent data protection and flexible policy enforcement from creation to consumption to secure the Data Pillar in a Zero Trust Architecture. For more details, see our Data Security Platform overview.
A Provocative Yet Hopeful Outlook
We should be alarmed by ongoing adversary success, especially when stolen or imitated designs appear in competing fighter programs like the J-35, but we should also be motivated to act swiftly. A zero trust architecture requires rethinking our policies, tools, and culture—particularly around data labeling, identity management, and automation. If we focus on these foundational pillars, we can achieve the security outcomes envisioned by the White House mandates and the Defense Department’s urgings, protecting not just our warfighters, but every technology user across federal and commercial landscapes.
It is time for decisions and action with clear milestones, and a willingness to embrace proven commercial technology. Let’s stop postponing these critical upgrades. If the federal government and its technology partners can align around the data pillar and centralized identity management, we will have built the bedrock for the rest of the zero trust framework. Only then can we decisively bolster our cyber defenses, safeguarding our warfighters, preserving technological advantages, and ensuring that our adversaries cannot replicate, degrade, or outmaneuver the United States.
