The Department of Defense (DOD) has been busy issuing guidance on the security of the cloud computing solutions that it uses. Three memoranda have come out in July alone, with possible repercussions for companies providing cloud services to defense customers. This week’s article briefly summarizes each of these memoranda and suggests potential implications for the defense cloud market.

Directive-Type Memorandum (DTM) 25-003, “Implementing the DOD Zero Trust Strategy”

Issued on July 17, 2025, DTM 25-003 establishes a new Zero Trust Portfolio Management Office (ZT PfMO) under the DOD Chief Information Officer to oversee the department’s enterprise adoption of ZT architecture and cybersecurity framework by the FY 2027 deadline. The ZT PfMO will be headed by a Chief Zero Trust Officer who will “orchestrate DOD-wide ZT execution, including providing strategic guidance, directing the alignment of efforts, and recommending resource and funding prioritization to advance ZT adoption across the DOD in alignment with the DOD ZT Strategy.”

The memo also directs the National Security Agency / Central Security Service Zero Trust Team to provide the ZT PfMO with technical support evaluating the compliance of commercial cloud solutions. These reviews will almost certainly result in deeper scrutiny of the security protocols and capabilities of commercial cloud service providers (CSPs), so industry partners should be prepared to provide the access and documentation the ZT review teams will need.

Enhancing Security Protocols for the Department of Defense Memorandum

Published on July 18, 2025, this memo directs the DOD CIO and Under Secretaries of Defense (USDs) for Acquisition and Sustainment, Intelligence and Security (I&S) and Research and Engineering to ensure that all IT solutions developed and procured for the DOD are validated as secure against supply chain attacks by adversaries.

Whereas a cursory glance at the memo might lead one to conclude that the guidance applies primarily to hardware solutions, cloud services are also classified as IT solutions, with the named officials instructed to leverage the GSA’s FedRAMP for their reviews. The USD I&S is also directed to review the insider threat programs and capabilities of CSPs. Much like DTM 25-003, this memo will likely result in additional reporting requirements for CSPs, as well as a potential need to replace equipment used to provide the service or capability if it is found to be produced by or vulnerable to adversaries.

Directive-Type Memorandum (DTM) 24-001 – “DoD Cybersecurity Activities Performed for Cloud Service Offerings”

Issued on July 23, 2025, DTM 24-001 outlines the responsibilities of DOD mission owners to ensure the cybersecurity of the cloud services they are using. Specifically, mission owners must:

• Ensure that data is migrated to clouds at the appropriate security level.
• Ensure that contracts detail expectations between the mission owner, CSP, DOD entity, or commercial entity for establishing, measuring, and maintaining a required level of performance and delivery.
• Review the FedRAMP and DOD provisional authorization artifacts associated with the mission owner cloud environment to understand the risks that the mission will inherit when using the selected CSP for the mission system or application.
• Review the selected CSP’s cybersecurity capabilities and supporting evaluations as part of a DOD provisional authorization.
• Ensure contractual language specifies the CSP’s need to provide data that meets DOD security requirements
• Provide access to capabilities, assets and data for DOD and commercial inspection and assessment teams.
• Confirm that the CSP performs the correct steps for cloud services provided at the appropriate Data Impact Levels.

DTM 24-001 could prompt the review of already awarded contracts for security compliance and those reviews could result in additional responsibilities for CSPs. The bottom line for CSPs working with the DOD is that increased scrutiny is coming, with all of its potential costs and associated responsibilities. And this is not even mentioning the Cybersecurity Maturity Model Certification (CMMC) requirements that are coming.