Air Force Establishes Zero Trust Portfolio Management Office to Meet 2027 Cybersecurity Goals
Air Force Establishes Zero Trust Portfolio Management Office to Meet 2027 Cybersecurity Goals
Published:
July 28, 2025
/
Updated:
July 28, 2025
Cybersecurity & Electronic Warfare
Diego Ramos
U.S. Army Reserve photo by Spc. William Kuang
The Air Force spent the last week making zero trust a permanent part of its operations. A memo issued on July 22 created a dedicated office to oversee it – the Zero Trust Portfolio Management Office (PfMO) – and named its first chief zero trust officer. This group now has control over timelines, budgets, and green-lighting all service-level implementation efforts tied to the 2027 Defense Department targets.
All commands are now required to use a shared architecture built on the assumption that systems are already compromised. Everything from battle management streams to satellite weather data is handled on an infrastructure that restricts lateral movement and checks access at each step. Teams must now build this into designs from the beginning, not tack it on later. And before a project can move forward, it needs to have funding locked in for identity protection, device health checks, and data tagging.
Aaron Bishop, the department’s top cybersecurity official, said this new process is a forcing function. Speaking in a webcast, he described the back-and-forth between speed and security. “I have a responsibility to protect data, but also to deliver capability,” he said. “That friction helps clarify what the mission really needs-and how to deliver it safely.”
Every office involved in procurement must now label mission data at the source. These tags travel with the data and influence access decisions across systems and links. The directive covers over 180 sites, from air bases to medical and housing facilities. Supply chain rules were also tightened: any new equipment must ship with verifiable firmware, tamper-proof packaging, and a software bill of materials that meets federal guidelines. Some bases, like Hanscom and Maxwell, have already refused gear that didn’t meet those standards. The policy is expected to reach all remote sites by the next quarter.
The myAuth login portal, launched in May, has already reached 900,000 users and is on track to replace the legacy DS Logon for 20 million accounts by late 2026. It uses passwordless access based on device posture. If a machine isn’t up to security standards, it can’t connect. This gives defenders an edge when dealing with stolen credentials. Since the same system is now used across both secure and standard networks, operators don’t have to re-enroll when switching environments.
Behavior-Based Endpoint Detection and Response Reduces Malware and Insider Threats
Two years ago, security still leaned heavily on antivirus tools. That changed with the rollout of behavior-based monitoring across everything from laptops to cockpit displays. The system now watches for unusual patterns in system calls, processes, and network behavior-and stops threats before users even notice. It’s currently closing about 1,500 incidents a day automatically, freeing up cybersecurity teams to focus on more complex risks. “The user never even sees the malicious file,” said CTO Scott Heitmann.
In June, that monitoring caught two attempts to alter boot code before the malicious software could run. There were no existing signatures-only abnormal activity that triggered a lockdown. One example involved a maintenance tablet trying to pair over Bluetooth using factory settings. The tablet was cut off until it passed a check, showing that these rules apply far beyond desktops.
On the infrastructure side, the Air Force just awarded Siemens a $99.3 million contract to upgrade aging electrical systems at Arnold Engineering Development Complex. Swapping out the old gear is expected to cut power disruptions by nearly half – important for cybersecurity tools that don’t tolerate sudden shutdowns.
The Space Force also took a major step with a $4 billion contract vehicle awarded to five firms to develop Protected Tactical Satcom-Global spacecraft. These will include jam-resistant communications and access control built into the endpoints, letting operators treat satellite links more like trusted segments on the ground. The first on-orbit trials are set for 2027, but early design reviews already require zero trust compliance.
Inside aircraft and other mission platforms, data is routed using a control layer that attaches metadata such as the user’s role, device type, classification, and mission importance. Routers check that information against policy and take action without waiting for human input. If something doesn’t match, it’s blocked immediately. Since these controls are part of the system backbone, anything that fails must either shut down or isolate itself-no more fallback to unsecured states.
Air Force Zero Trust Implementation Goals for FY 2026
Roll out a single login system across all networks, from intelligence platforms to local Wi-Fi.
Block any software that doesn’t have a verified bill of materials before it reaches production.
Combine sensor data from utilities and equipment with IT monitoring tools to get a complete view of security risk.
Conduct two hands-on attack simulations each year – one targeting mission systems, one targeting administrative networks.
Make zero trust a requirement in aircraft system certifications going forward.
Progress on these efforts is tracked with a scorecard that looks at how quickly threats are contained, how reliably devices are verified, and whether data tagging is consistently applied. Programs that meet targets get faster go-aheads, while those that fall short risk funding delays. These results also feed into quarterly briefings for the Department of Defense Cyber Council.
The Air and Space Forces are clearly shifting away from treating zero trust as just a compliance exercise. Everything-from login systems to circuit breakers-is now being evaluated through a single lens: data must be traceable, and devices must prove they’re secure before they’re allowed to connect. If the department stays on pace, it’ll have full visibility from the ramp at Misawa to secure satellite links over the equator-well before the 2027 deadline.
REFERENCE SOURCES
https://www.washingtontechnology.com/contracts/2025/07/space-force-choose-5-4b-secure-communications-contract/407061/
https://industrialcyber.co/zero-trust/pentagon-launches-zero-trust-portfolio-office-appoints-chief-officer-to-lead-dod-wide-cybersecurity-transformation/
https://fedtechmagazine.com/article/2025/07/defense-and-civilian-agencies-augment-endpoint-management-machine-learning
https://www.defense.gov/News/Contracts/Contract/Article/4254800/
The post Air Force Establishes Zero Trust Portfolio Management Office to Meet 2027 Cybersecurity Goals appeared first on defense-aerospace.
The Air Force spent the last week making zero trust a permanent part of its operations. A memo issued on July 22 created a dedicated office to oversee it – the Zero Trust Portfolio Management Office (PfMO) – and named its first chief zero trust officer. This group now has control over timelines, budgets, and green-lighting all service-level implementation efforts tied to the 2027 Defense Department targets.
The post Air Force Establishes Zero Trust Portfolio Management Office to Meet 2027 Cybersecurity Goals appeared first on defense-aerospace.
