“department’sThe Department of War is preparing a sweeping overhaul of its cybersecurity compliance and risk management processes, according to Aaron Bishop, acting principal deputy chief information officer and chief information security officer at the Pentagon.
Speaking Thursday at Potomac Officers Club’s 2026 Cyber Summit, Bishop outlined plans for major reforms to the Department of War’s risk management framework process, arguing the current approach is too slow, paperwork-heavy and outdated to support modern cyber operations and future warfare requirements.
Pentagon leadership will address an audience of GovCons yet again at the 2026 Army Summit on June 18. Register now to get acquisition intelligence from the Army Contracting Command’s Katie Thompson, finance and investment insights from Under Secretary and Comptroller Marc Andersen, and other exclusive takeaways from many more esteemed leaders.
“I hate it the way it is today,” Bishop said of the current RMF process. “It is absolutely, I’m going to say, 1990s mentality.”
Bishop said the Pentagon plans to roll out what he described as “RMF reform” over the coming months, with a focus on simplification, automation and continuous monitoring.
“It will start with simplify. It will end with automation. No more paper,” he said.
The remarks indicated that the Department of War is preparing significant changes to how cybersecurity compliance, authorization and monitoring are managed across military systems and contractor environments.
Why Is the Pentagon Reforming RMF?
Throughout his keynote, Bishop repeatedly contrasted the speed of technological change with what he described as the department’s historically slow-moving modernization processes.
“As we all know, technology moves at a transformational pace, not an evolutionary pace,” he said. “Therein lies the delta we have to close.”
Bishop argued the Pentagon has traditionally relied on incremental modernization approaches while adversaries and technologies continue evolving rapidly.
“We the department—not so good at transforming,” he said. “We’re pretty good at evolving, taking our time to get there.”
The current RMF structure, Bishop argued, creates repetitive review cycles that often become outdated before systems are fully approved.
“Six months later, the document’s outdated and wrong, so we have to start over,” he said.
Instead of relying on static documentation and recurring manual approvals, Bishop said the department wants to move toward automated visibility, telemetry-driven monitoring and real-time operational awareness.
“My goal is to empower our cyber operators’ visibility,” he said. “They need to know what it is they’re defending.”
Bishop said future cybersecurity oversight will rely less on paperwork and more on operational telemetry flowing directly from development pipelines and deployed environments.
“If you have live feeds in a modern way for a CI/CD pipeline for development or daily operations in this DevSecOps world, I get telemetry, so I know what I’m dealing with,” he said.
The Pentagon also intends to standardize expectations across the Department of War and the defense industrial base, reducing confusion around compliance requirements and reciprocity.
“You do it once for the Department of War, you are good to go in the Department of War,” Bishop said.
He added that contractors should be able to clearly understand and meet departmentwide cybersecurity expectations without navigating fragmented guidance structures.
“You’re going to see how the DIB can say, ‘Hey, that’s the expectation. I met it. I’m good to go,’” he commented.
What Did Aaron Bishop Say About Zero Trust?
Bishop also used the keynote to reinforce the Pentagon’s continued push toward zero trust cybersecurity architecture, though he framed the initiative less as a compliance exercise and more as an operational design philosophy.
“Don’t look at it as a compliance mandate,” he said. “Look at it as, that’s our future state we need to move toward.”
Referencing longtime cybersecurity concepts that predate the federal government’s modern zero trust initiatives, Bishop said the department’s focus is on building systems where each component can independently demonstrate security and assurance.
Using a building-block analogy, he described zero trust as securing individual components before integrating them into larger operational systems.
“If I can protect the network and I can protect the operating system and I can protect the data and then bring them together in a way that I can see the whole—zero trust, ladies and gentlemen, that’s all we’re asking for,” Bishop told the audience of contractors.
He also referenced the Department of War’s zero trust targets and foundational activities, describing them as mechanisms to drive modernization and implementation.
“The zero trust mandate is a forcing function,” he said. “Everyone needs to transform. Evolution takes too long.”
Why Is ICAM Becoming a Bigger Pentagon Cybersecurity Priority?
Identity, credential and access management—a.k.a. ICAM—emerged as another central theme, particularly as the Pentagon manages increasingly complex digital ecosystems spanning military personnel, civilians, contractors, mission partners and automated systems.
“Without ICAM, you don’t have zero trust,” Bishop said. “Without ICAM, you really don’t have cybersecurity.”
Bishop said the DOW currently manages millions of identities across multiple networks and mission environments.
“We have millions and millions of identities that we have to deal with on a daily basis,” he said.
Those identities include not only military and civilian personnel but also contractors, retirees, allied partners and machine-based identities associated with operational systems and artificial intelligence technologies.
“Both human identity, non-person identities, system-level identities and now AI identities,” Bishop said.
According to Bishop, the Pentagon plans to increase focus on ICAM centralization, interoperability and alignment with broader zero trust initiatives.
He also emphasized the importance of interoperability with allied and partner nations.
“We have to deal with our mission partners, whether they’re allies or the Five Eyes partners, NATO partners, go down the list,” he said.
How Is the Pentagon Approaching Artificial Intelligence in Cybersecurity?
Artificial intelligence was another major focus of the keynote, though Bishop struck a noticeably cautious tone regarding operational adoption of emerging AI technologies.
“It’s just software that works,” Bishop said of AI.
While acknowledging AI’s potential to accelerate cybersecurity workflows and automate repetitive administrative functions, Bishop warned against overreliance on current large language model technologies in mission-critical environments.
“If it’s 80 percent right and I’m going to put it in my warfighter’s hands—not good enough. It’s not trustworthy,” he said.
Bishop said the Pentagon is continuing to evaluate emerging AI tools through testing and operational analysis rather than wholesale deployment through the DOW’s Chief Digital and Artificial Intelligence Office.
“We’re doing testing and evaluation,” he said. “What does it do? How does it do it? Is it good at it?”
He also warned that AI-enabled offensive cyber capabilities are accelerating attack timelines and changing how adversaries exploit vulnerabilities.
“What’s interesting about it is it likes to chain some of these vulnerabilities together in order to create faster attack patterns,” Bishop said.
According to Bishop, those developments could force organizations to rethink patch management priorities, particularly as AI tools become increasingly capable of combining multiple low-level vulnerabilities into operational attack paths.
“Patches are a way of life,” he issued. “Patches are going to come fast and furious.”
An AI innovation-focused panel at the 2026 Army Summit will feature, among others, the Army’s Andrew Evans, director for strategy and transformation at DCS, J-2 and John Osborne, HQDA G2 Senior Science and Technology Advisor. Attend so you can understand what the service branch is looking for in terms of cutting-edge, frontier AI platforms.
What Other Cybersecurity Priorities Did Bishop Highlight?
Beyond RMF reform, zero trust and AI, Bishop also discussed operational technology security, supply chain risk management and cyber workforce modernization.
He warned that operational technologies, including industrial control systems, robotic systems, medical devices and weapons platforms, are increasingly becoming part of the cybersecurity attack surface.
“That means it’s technology,” Bishop said. “That means it needs to be identified, protected, continuously monitored and understood, because it can be, like anything else, weaponized against us.”
Bishop also previewed additional supply chain cybersecurity guidance intended to simplify requirements for contractors and vendors supporting the Department of War.
“My goal for you, to help you, on one page, here are the requirements,” he said. “Please meet them.”
The keynote additionally highlighted the Pentagon’s recently announced Cyber Registered Apprentice Program, known as Cyber RAP, part of broader workforce modernization efforts being led through the CIO’s office.
Who Is Aaron Bishop?
Bishop serves as acting principal deputy CIO and chief information security officer at the Department of War, where he oversees departmentwide cyber policy, governance, risk management and modernization initiatives.
The Pentagon selected Bishop earlier this year to lead the department’s cybersecurity enterprise following the departure of longtime cyber official David McKeown. Defense leaders pointed to Bishop’s combination of federal, military and private-sector cybersecurity experience as a key factor in his appointment.
Before assuming his current role, Bishop served as chief information security officer for the Department of the Air Force, advising senior leaders on cyber strategy, workforce development and information security operations across the service’s enterprise IT environment.
His previous government portfolio included oversight responsibilities involving operational technology security, cyber supply chain risk management, cryptographic modernization and cybersecurity accountability for both information systems and weapons systems supporting military operations.
Prior to entering federal service, Bishop held senior cybersecurity leadership roles in industry, including positions at SAIC and Microsoft, where he supported national security, intelligence and defense customers. He also founded cybersecurity-focused organizations Eigenspace and Quantum Security Alliance.
Bishop is a Navy veteran and longtime cybersecurity executive with experience spanning both government and private-sector cyber operations.
Sponsor
