When is the DoD Zero Trust deadline for defense contractors?

September 30, 2027 (end of FY27) for Target Level — 91 capability outcomes across the seven pillars. Advanced Level adds another 61 capabilities by 2032. The Target Level deadline applies to DoD components and Defense Industrial Base partners — meaning defense contractors handling DoD data are in scope, not just internal DoD organizations. Missing the deadline means contract ineligibility for new awards, option exercises, and contract extensions, but not immediate termination of existing contracts.

Is DoD Zero Trust just CMMC Level 2 with extra steps?

No. The two frameworks overlap meaningfully but are not equivalent. CMMC Level 2 implements the 110 NIST 800-171 Rev 2 practices, which align primarily with the User, Network, and Audit/Visibility pillars of Zero Trust. CMMC Level 2 alone does not satisfy the Application, Data, and Automation pillar requirements at Target Level — particularly continuous identity verification, data tagging at object level, automated policy enforcement, and runtime application security. A defense contractor at perfect CMMC Level 2 will still have material gaps to Target Level Zero Trust.

What are the seven pillars of DoD Zero Trust?

User (continuous identity verification, conditional access, privileged access management), Device (asset inventory, device trust, posture compliance), Application (secure-by-design, runtime protection, micro-segmentation between apps), Data (tagging, classification, encryption at rest/in transit, DLP), Network (micro-segmentation, encrypted transport, software-defined perimeters), Automation and Orchestration (security orchestration, policy-as-code, automated response), and Visibility and Analytics (UEBA, threat hunting, SIEM/SOAR maturity). Target Level requires 91 specific capability outcomes distributed across these seven pillars.

Are primes flowing down Zero Trust requirements to subcontractors?

Yes, and increasingly. Tier-1 primes (Lockheed Martin, Raytheon, General Dynamics, Northrop Grumman, BAE) have started including Zero Trust readiness language in subcontract security requirements, particularly for new awards with FY27 option exercises. The flowdown is uneven — some primes ask for Target Level commitment by date, others ask for capability roadmaps, others embed specific Zero Trust controls in security exhibits. Subcontractors targeting prime work in 2026-2027 should expect Zero Trust readiness questions in pre-award evaluations alongside CMMC certification questions.

Where should a defense contractor start with Zero Trust if CMMC Level 2 is also in flight?

Sequence matters. Start with the User and Visibility pillars in 2026 because they overlap most heavily with CMMC Level 2 controls and produce evidence usable for both. The User pillar (continuous identity verification, MFA everywhere, conditional access policies, privileged access management) is the foundation — most CMMC access-control practices are subsets of Target Level User pillar capabilities. Visibility and Analytics (SIEM, UEBA, threat hunting) is the second-best dual-purpose investment — CMMC AU controls map directly. Defer the Application, Data, and Automation pillars to 2027 unless you have specific architectural drivers — those require deeper engineering investment and aren't on the CMMC critical path.

DoD Zero Trust for Defense Contractors

DoD’s Zero Trust Strategy is the most consequential deadline most defense contractors aren’t yet paying enough attention to. It’s not part of CMMC. It’s not in DFARS. It’s a separate FY27 deadline, with a separate enforcement mechanism, sized for an effort comparable to CMMC Level 2 in scope and meaningfully larger in technical depth. Defense contractors planning their FY27 cybersecurity capacity around CMMC alone will discover, somewhere in mid-2026, that the prime they want to win awards from is also asking for Zero Trust Target Level readiness — and that their CMMC engagement, however well-executed, only addresses a fraction of what Target Level requires.

This article is the practitioner’s view of what DoD Zero Trust is, what Target Level actually requires, where it overlaps with CMMC and where it doesn’t, what primes are flowing down, and how to sequence a 2026-2027 program that builds toward both simultaneously.

The deadline that’s not getting enough attention

The DoD Zero Trust Strategy was published in November 2022, refined through a Reference Architecture in 2024, and is moving into mandatory implementation through FY27. The headline numbers:

September 30, 2027 (end of FY27) — Target Level deadline for DoD components and Defense Industrial Base partners
91 capability outcomes across seven pillars at Target Level
61 additional Advanced Level capabilities by 2032
Zero Trust Strategy 2.0 expected from the Pentagon in early-to-mid 2026 — likely refines the Target Level capability set and clarifies DIB applicability

The enforcement mechanism is what gets defense-contractor attention: organizations that miss Target Level by FY27 face contract ineligibility — they cannot receive new awards, exercise contract options, or extend periods of performance. Existing contracts in flight aren’t terminated, but the moment your contract reaches its next option year or extension window, Zero Trust readiness is gating.

That second-order consequence is the one that shows up first in real procurement. A subcontractor on a five-year prime contract that has annual option exercises starting in October 2027 is functionally on a Target Level deadline of summer 2027 — because their prime is going to ask for Zero Trust evidence before exercising. The deadline becomes a contract-by-contract reality eighteen months earlier than the formal date suggests.

What “Target Level” actually means

Target Level is defined as 91 capability outcomes across the Zero Trust Strategy’s seven pillars. The capabilities are described in DoD’s Zero Trust Capability Execution Roadmap, with specific outcome statements for each. These are not controls (CMMC-style implementation requirements) — they are operational capability outcomes that the organization demonstrates. The distinction matters.

A control says: “implement multi-factor authentication for all privileged users.” A capability outcome says: “demonstrate continuous identity verification with risk-based conditional access policies that adjust authorization decisions in real time based on session telemetry.” The outcome implies a specific operational state, not a specific implementation. Two organizations can satisfy the outcome with very different technology stacks.

The seven pillars and their high-level capability themes:

1. User. Continuous identity verification, MFA everywhere (including for service accounts and machine identities), conditional access tied to risk telemetry, privileged access management with just-in-time elevation, identity governance with regular access reviews. Roughly 12 Target Level capabilities.

2. Device. Comprehensive device inventory across all endpoint classes (workstations, mobile, servers, IoT, unmanaged BYOD where permitted), device-trust signals fed into access decisions, posture compliance with automated remediation, detection of unmanaged device connections. Roughly 11 Target Level capabilities.

3. Application. Application discovery and inventory, secure-by-design SDLC practices, runtime application protection (RASP-class controls), micro-segmentation between applications, API security, application-layer logging that integrates with the broader Visibility pillar. Roughly 13 Target Level capabilities.

4. Data. Data discovery and classification at the object level, tagging of sensitive data, encryption at rest and in transit with key management discipline, data loss prevention with policy enforcement at egress points, data lifecycle management including retention and destruction. Roughly 14 Target Level capabilities.

5. Network and Environment. Network segmentation at multiple granularities (macro to micro), encrypted transport for all internal traffic, software-defined perimeters or equivalent, internal traffic inspection, telemetry collection at network boundaries. Roughly 12 Target Level capabilities.

6. Automation and Orchestration. Security orchestration platforms integrating identity, device, network, and data signals, policy-as-code with version-controlled deployment, automated incident response runbooks, machine-speed threat response for known patterns. Roughly 13 Target Level capabilities.

7. Visibility and Analytics. Comprehensive logging with consistent retention, SIEM/SOAR maturity sufficient for cross-pillar correlation, UEBA capabilities producing risk telemetry that feeds the User and Device pillars, threat hunting program with documented procedures, integration with DoD-wide threat intelligence. Roughly 16 Target Level capabilities.

Numbers above are approximate — the published capability roadmaps have evolved through 2024 and 2025, and Strategy 2.0 will refine them again. The point is the distribution: the Visibility, Data, and Application pillars have the highest Target Level capability counts, and they are the pillars most defense contractors are currently weakest in.

Where Zero Trust demands more than CMMC Level 2

This is the section that matters most for defense contractors planning their FY27 cybersecurity investment. CMMC Level 2 is a real bar — 110 controls assessed by a C3PAO with no shortcuts. But CMMC Level 2 alone does not satisfy Target Level Zero Trust. The gap is substantial and concentrated in specific pillars.

User pillar — moderate overlap. CMMC Level 2 access-control controls (3.1.x) require role-based access, account management, separation of duties, least privilege, MFA for privileged users. Target Level Zero Trust extends this to: continuous identity verification (not just at login), risk-based conditional access (session-by-session decisions adjusted by telemetry), privileged access management with just-in-time elevation, MFA for all users (not only privileged) including service and machine identities. A CMMC Level 2 program at perfect compliance is roughly 60-70% of the way to Target Level User pillar.

Device pillar — moderate overlap. CMMC Level 2 covers device inventory (3.4.1), configuration management (3.4.x), and access enforcement, but not device-trust signaling, posture compliance with automated remediation, or comprehensive coverage of mobile/IoT/unmanaged device classes. A CMMC Level 2 program covers ~40-50% of Target Level Device.

Application pillar — minimal overlap. This is where the gap widens. CMMC Level 2 has no specific application security controls — application protection is implicit in system and information integrity (3.14.x) but not specified at the depth Target Level requires. Secure-by-design SDLC, runtime application protection, application-layer micro-segmentation, and API security are not CMMC Level 2 obligations. Defense contractors with software-development scope have meaningful Application pillar gaps after CMMC.

Data pillar — minimal overlap. CMMC Level 2 requires CUI to be marked, protected in transit and at rest, and handled per access-control policy — but not at the object-level tagging granularity, runtime DLP enforcement, and automated data lifecycle management Target Level expects. The Data pillar is the second-largest CMMC-to-Zero-Trust gap.

Network pillar — moderate overlap. CMMC Level 2 network controls (3.13.x) cover boundary protection, encrypted transmission, separation of subnets, and similar mid-level network security. Target Level adds micro-segmentation between workloads, software-defined perimeters, and ubiquitous encrypted internal transport (not just at boundaries). CMMC ~50-60% of Target Level Network.

Automation pillar — minimal overlap. CMMC Level 2 does not require SOAR-class automation or policy-as-code. The Automation pillar is largely a Zero-Trust-specific capability investment.

Visibility pillar — heavy overlap. CMMC audit-and-accountability controls (3.3.x) require comprehensive logging, log review, and incident detection. The Visibility pillar extends this to UEBA, threat hunting, and cross-pillar correlation, but the foundation is the same. CMMC Level 2 at perfect compliance is 70-80% of the way to Target Level Visibility for the logging-and-monitoring components.

The pattern: CMMC Level 2 gets you most of the way on User, Network, and Visibility — the pillars where the regulatory baseline (NIST 800-171 Rev 2) and Zero Trust outcomes naturally converge. It barely touches Application, Data, and Automation, which are where the engineering investment is.

What primes are actually flowing down

In practice, primes flow down Zero Trust readiness to subcontractors in three patterns:

Pattern 1 — Capability roadmap requirement. Subcontract security exhibit asks the sub to produce and maintain a Zero Trust capability roadmap with target dates aligned to FY27 Target Level. Used by primes who are themselves still figuring out their own roadmap and want subs to be planning, not delivering. Most common pattern in 2025-2026.

Pattern 2 — Specific capability commitment. Subcontract names specific Target Level capabilities the sub must achieve by specific dates. Capabilities chosen are typically User pillar (continuous identity verification, conditional access) and Visibility pillar (SIEM coverage, threat hunting). Used by primes with mature Zero Trust programs of their own who want subs aligned to their architecture.

Pattern 3 — Full Target Level commitment. Subcontract requires Target Level achievement by FY27 deadline, with annual evidence checks. Used selectively for high-sensitivity programs and emerging in 2026 for subcontracts with FY27+ option years. Most demanding pattern; expected to expand over 2026-2027.

Subcontractors should expect questions from primes about Zero Trust readiness in pre-award evaluations starting in 2026, separate from CMMC certification questions. Our prime evaluation article covers what other questions accompany this in modern Tier-1 prime evaluations.

A sequencing plan that builds toward both

For a defense contractor with CMMC Level 2 in flight (or recently completed) and Zero Trust Target Level on the FY27 horizon, the operating question is: what do you build now that satisfies both? The honest answer requires sequencing across three time windows.

2026 (CMMC year + Zero Trust foundation)

Focus on the pillars where CMMC Level 2 work and Zero Trust foundation overlap. Treat the engagement as a single program with two compliance outputs.

User pillar foundation: Identity provider with MFA for all users, conditional access policies tied to device-trust signals, PAM solution for privileged accounts. The CMMC AC controls are subsets of these; investing here once produces both outcomes.
Visibility pillar foundation: SIEM with comprehensive log ingestion across identity, endpoint, network, and cloud sources. UEBA layer if budget allows. Threat hunting program with documented procedures. CMMC AU controls satisfied as a byproduct.
CMMC Level 2 certification. Run the engagement, achieve certification before Phase 2 (Nov 10, 2026). Our CMMC Level 2 timeline article covers the month-by-month.

2027 first half (Target Level critical path)

The pillars CMMC didn’t address. These require dedicated investment, not byproducts.

Data pillar: Object-level data classification and tagging tooling. Encryption key management with rotation discipline. DLP at egress with policy enforcement. Data lifecycle automation.
Application pillar: SDLC security tooling integrated into the build pipeline. Runtime application protection where applicable. Micro-segmentation between applications using service-mesh or equivalent.
Device pillar extension: Device-trust signaling integrated with the User pillar’s conditional access. Posture compliance automation. Mobile and IoT device coverage.
Network pillar extension: Micro-segmentation deeper than CMMC required. Encrypted internal transport across all workload-to-workload paths.

2027 second half (Target Level demonstration)

Capability evidence collection and prime evaluation prep.

Automation pillar: SOAR platform with playbooks for the most common incident classes. Policy-as-code for security configurations. Automated response for known patterns.
Cross-pillar evidence package: Capability outcome documentation per pillar with evidence trails. Designed to support prime evaluation requests in 2027-2028.
Sustainment plan: What happens after Target Level — staffing, tooling refresh, capability maintenance. Target Level is not a one-time achievement.

This sequencing assumes a defense contractor with mid-tier security maturity entering 2026. Larger contractors with established programs can compress; less mature contractors will need to extend timelines and possibly accept some FY27 contract ineligibility for the highest-sensitivity awards.

The contract-ineligibility risk in practice

The September 30, 2027 deadline doesn’t trigger a single binary event — it triggers a rolling series of contract-by-contract eligibility decisions. Here’s how it actually plays out:

Existing contracts in their current period of performance: No immediate impact. Contract continues to execute under existing terms.

Existing contracts approaching option exercise after 9/30/2027: Prime contracting officer evaluates Zero Trust readiness as part of the option-exercise decision. A contractor without Target Level demonstrable evidence may have their option not exercised. This is the most common form of consequence and starts mattering as early as Q3 2027 for early-FY28 option years.

New solicitations issued after 9/30/2027: Zero Trust Target Level becomes a baseline evaluation factor. Contractors who can’t demonstrate Target Level capability are non-responsive, similar to how subcontractors lacking CMMC Level 2 will be non-responsive starting Phase 2.

Contract modifications after 9/30/2027: Material modifications (scope expansions, period of performance extensions, technology refresh adds) may trigger Zero Trust evaluation depending on the contracting officer’s interpretation. Less predictable than option exercises, but a real risk.

Subcontract flowdown: Independent of DoD direct enforcement, primes will increasingly require subcontractor Zero Trust evidence to manage their own compliance posture. This pressure becomes operational well before September 2027 — primes building their own programs will pull their subcontractor base along.

The defense contractor that treats 9/30/2027 as a hard deadline rather than a rolling-eligibility shift will over-budget for the deadline and under-budget for the operational steady state. The defense contractor that treats it as “we have time, we’ll deal with it in 2027” will underbudget for both. The right framing is: 2026 is the year you build foundations and get CMMC certified, 2027 is the year you complete the Zero Trust capability buildout, and the work doesn’t end on September 30 — it continues as ongoing capability maintenance through the 2032 Advanced Level deadline.

Where Fortinetics fits

Most defense contractors approaching DoD Zero Trust will discover, somewhere in 2026, that they need a partner who can run a single coordinated program covering both CMMC Level 2 (regulatory deadline November 2026) and Zero Trust Target Level (capability deadline September 2027). The two engagements share architectural foundations — identity, network, visibility — and run in parallel cost-efficiently when designed together. They are expensive and fragmented when run sequentially as separate engagements.

Our services portfolio covers both. If you’re entering 2026 with CMMC certification on the front burner and Zero Trust Target Level on the back, book a 30-minute scoping call — we’ll walk through your specific environment and tell you, honestly, whether running both as a single program saves materially over running them separately, and what the engagement shape would look like.

DoD Zero Trust for defense contractors: the September 30, 2027 Target Level deadline and how it intersects with CMMC