What the DoD’s Missteps Teach Us About Cybersecurity Fundamentals for 2026
None
<p><span data-contrast="auto">Every year in cybersecurity brings faster detection, smarter AI, and new tools <a href="https://securityboulevard.com/2025/11/what-tools-empower-better-secrets-security-management/" target="_blank" rel="noopener">promising to stay ahead of attackers</a>. Yet 2025 delivered a sobering reminder – no amount of innovation can compensate for neglecting the basics. Even the most elite organizations, the U.S. Department of Defense and Israel’s elite Unit 8200, stumbled, not because of unknown exploits or state-sponsored attacks, but because foundational practices were overlooked.</span><span data-ccp-props="{}"> </span><span data-contrast="auto">The future of cybersecurity will belong not to those chasing the next breakthrough, but to those who master the fundamentals that hold everything else together. Supply chain oversight, vendor governance, and proximity management may not make headlines, but they are the invisible scaffolding of cyber resilience. As we approach 2026, these basics are no longer optional; they are mission-critical.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">2025 Wake-Up Calls</span></b><span data-ccp-props='{"134245418":false,"134245529":false,"335559738":360,"335559739":80}'> </span></h3><p><span data-contrast="auto">In July 2025, reports revealed that Microsoft had relied on China-based contractors, so-called “digital escorts”, to help manage DoD cloud workloads. Two months later, Microsoft restricted Unit 8200’s Azure access following concerns about how Israeli operators used cloud resources.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p><span data-contrast="auto">These were not zero-days or cloud misconfigurations buried deep in code. They were governance failures, proof that vendor relationships, contractor access, and platform dependencies remain fertile ground for compromise. The fact that two respected and battle-tested organizations were caught off guard underscores how easily “known” risks can turn into existential ones.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Supply chain and proximity risks share three defining traits. First, they are active and not theoretical. Every modern enterprise already depends on external vendors, cloud providers, and on-site connected devices. Second, they are cross-domain, bridging cybersecurity, physical security, and privacy in ways that demand collaboration between CISOs and CSOs. And third, they are persistent and expanding. The more organizations digitize, the more their vendor and proximity footprints grow, and so does the attack surface.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Because these surfaces are both cross-functional and continuous, they cannot be governed by checkbox compliance or quarterly audits, but require daily shared accountability.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">Why the Consistent Failure?</span></b><span data-ccp-props='{"134245418":false,"134245529":false,"335559738":360,"335559739":80}'> </span></h3><p><span data-contrast="auto">Even though most security practitioners understand that supply chain and proximity are weak spots, they still too often overlook them. Why? The reason is that these risks often fall between the cracks of responsibility. Procurement manages the contracts, CISOs oversee digital risk, and CSOs handle physical environments, but no one owns the full picture, causing accountability to blur and control gaps to open, enabling the perfect conditions for compromise.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">They also defy neat categorization. Both supply chain and proximity threats span technology, people, and place, making them difficult to contain with any single safeguard. A contract or ISO certification can’t stop a careless employee, an insider with access, or an on-site technician plugging in a compromised device. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">This gap isn’t just structural, it’s cultural. I recently met with the CISO of a major global hotel chain. After walking him through proximity-related vulnerabilities, from rogue access points to compromised maintenance devices, he said he wasn’t going to deal with it immediately because he was focused on other projects and what he considered “sufficient threats.” That mindset reflects a broader industry problem, a lack of understanding of the business implications of proximity risks and their direct connection to operations, reputation, and even guest safety.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3><b><span data-contrast="auto">Building a Real Fundamentals Program</span></b><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></h3><p><span data-contrast="auto">For years, proximity risk – the threat created by nearby wireless signals, devices, and human presence – was an overlooked blind spot. In 2025, the emergence of Proximity Attack Surface Management (PASM) marked the formal recognition of a discipline dedicated to discovering, assessing, and mitigating risks at the physical-digital intersection.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">PASM complements supply chain security: One looks outward to vendors and partners, the other inward to the organization’s own environment. Together, they establish the foundation of a modern fundamentals program, returning to the basics, executed with precision and accountability. In that sense, PASM is more than a toolset. It represents a model or blueprint for how organizations should manage their foundational attack surfaces. PASM manages the proximity surface and supply chain governance frameworks manage the vendor surface. Together, they define the operational foundation of modern cyber resilience.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Turning that vision into reality requires coordination across people, processes, and technology. CISOs, CSOs, procurement leaders, and legal teams must have clearly defined responsibilities and shared accountability. Vendor-security liaisons and on-site verification roles can bridge the gap between contracts and operations, while regular training helps facilities staff, contractors, and operations teams understand how their daily actions shape digital risk.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Process maturity builds on that structure. Organizations need to evolve from periodic audits to continuous vendor assurance, leveraging telemetry, configuration validation, and targeted spot checks. Incident response and crisis management playbooks should explicitly address supply chain and proximity scenarios, with defined escalation paths. Tabletop exercises must involve suppliers, facilities, and executives, ensuring that everyone from the boardroom to the loading dock understands their role in containment and recovery.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Technology completes the loop. Attestation tools track vendor access, code provenance, and privileged actions. PASM sensors detect rogue radios or anomalous wireless behavior. Zero-trust principles, particularly around vendor and device access, enforce just-in-time privileges and minimize exposure.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Enterprises must adopt management platforms for these fundamental domains, supply chain and proximity, and treat them as continuous, operational disciplines, not as optional security add-ons. </span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><h3 aria-level="2"><b><span data-contrast="auto">Identifying and Prioritizing Your Fundamentals in 2026</span></b><span data-ccp-props='{"134245418":false,"134245529":false,"335559738":360,"335559739":80}'> </span></h3><p><span data-contrast="auto">Every organization should start by mapping its foundational attack surfaces, including supply chain, proximity, third-party integrations, OT and ICS connections, identity systems, and data egress points. Once mapped, they must be ranked by impact and likelihood to identify which are mission-critical and which are secondary. Ownership should be jointly assigned to the CISO and CSO, with executive support and adequate funding. Above all, continuous verification must replace static assessments. Snapshots and checklists cannot protect a living ecosystem of vendors, devices and people.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><p><span data-contrast="auto">Innovation matters, but without strong fundamentals, every new control sits atop a shaky foundation. Supply chain and proximity are not peripheral; they are the base layer on which resilience is built. If the DoD and 8200, organizations with unparalleled cyber expertise, can falter on these fronts, no enterprise is immune. With 2026 around the corner, leaders should be asking: Are our fundamentals continuously managed end-to-end? If the answer is anything short of an unqualified “yes,” the time to act is now.</span><span data-ccp-props='{"335559738":240,"335559739":240}'> </span></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/what-the-dods-missteps-teach-us-about-cybersecurity-fundamentals-for-2026/" data-a2a-title="What the DoD’s Missteps Teach Us About Cybersecurity Fundamentals for 2026 "><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-the-dods-missteps-teach-us-about-cybersecurity-fundamentals-for-2026%2F&linkname=What%20the%20DoD%E2%80%99s%20Missteps%20Teach%20Us%20About%20Cybersecurity%20Fundamentals%20for%202026%C2%A0" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-the-dods-missteps-teach-us-about-cybersecurity-fundamentals-for-2026%2F&linkname=What%20the%20DoD%E2%80%99s%20Missteps%20Teach%20Us%20About%20Cybersecurity%20Fundamentals%20for%202026%C2%A0" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-the-dods-missteps-teach-us-about-cybersecurity-fundamentals-for-2026%2F&linkname=What%20the%20DoD%E2%80%99s%20Missteps%20Teach%20Us%20About%20Cybersecurity%20Fundamentals%20for%202026%C2%A0" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-the-dods-missteps-teach-us-about-cybersecurity-fundamentals-for-2026%2F&linkname=What%20the%20DoD%E2%80%99s%20Missteps%20Teach%20Us%20About%20Cybersecurity%20Fundamentals%20for%202026%C2%A0" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fwhat-the-dods-missteps-teach-us-about-cybersecurity-fundamentals-for-2026%2F&linkname=What%20the%20DoD%E2%80%99s%20Missteps%20Teach%20Us%20About%20Cybersecurity%20Fundamentals%20for%202026%C2%A0" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>