The Pentagon's much-anticipated zero trust strategy lays out an ambitious, detailed plan for how DoD will adopt a "never trust always verify" approach.
Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
The Defense Department officially unveiled a zero trust strategy and roadmap today laying out how DoD components should direct their cybersecurity investments and efforts in the coming years to reach a “target” level of zero trust maturity over the next five years
The release of DoD’s zero trust strategy follows on the heels of the White House Office of Management and Budget’s federal zero trust strategy published earlier this year. DoD’s strategy lays out a detailed and ambitious plan for defense components to attain specific zero trust capabilities by 2027.
The aim is to counter a “rapid growth” in offensive cyber threats by shifting away from a perimeter defense model to a “never trust always verify” mindset, DoD Chief Information Officer John Sherman wrote in the foreword to the strategy.
“Zero Trust is much more than an IT solution,” Sherman wrote. “Zero Trust may include certain products but is not a capability or device that may be bought. The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans. Perhaps most importantly, they must also address Zero Trust requirements within their staffing, training, and professional development processes as well.”
The strategy lays out four strategic goals: zero trust culture adoption; DoD information systems secured and defended; technology acceleration; and zero trust enablement.
DoD’s approach includes 45 separate “capabilities” organized around seven “pillars:” users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
And it segments DoD’s expected progress across those pillars into “target” and “advanced” levels of zero trust. Some initial target capabilities in the coming years include user inventories, federated identity credential and access management solutions, endpoint detection and response tools, and software defined networking.
DoD expects all its components to achieve the “target” level goals by fiscal 2027.
“The strategy makes zero trust tangible and achievable, while recognizing a dynamic and frankly continuous improvement approach,” Randy Resnick, director of DoD’s zero trust portfolio management office, said in a call with reporters Tuesday.
The strategy also doesn’t mandate the use of specific IT solutions or zero trust products, leaving it to the military services and fourth estate agencies to determine those specifics.
“We are not defining exact components that people have to buy, specific software or anything like that,” Acting Principal Deputy CIO David McKeown said. “We are defining capabilities here. And we’re leaving it up to the services for how they implement those and integrate them together in order to achieve the desired zero trust level.”
DoD also released an associated “zero trust capability execution roadmap” today laying out a baseline “course of action” to zero trust using the department’s current IT infrastructure and capabilities, known in IT parlance as a “brownfield” approach.
“There aren’t any technical, critical path items that are unachievable for us to get to zero trust at the at the target level,” Resnick said. “It’s just a matter of leadership’s ability to execute. We have the dollars, and every single year, were doing a review of what’s required going into the next years in the [Future Years Defense Program] to make sure that this is well funded.”
DoD is also developing future zero trust roadmaps for both “commercial cloud” and “private cloud,” respectively. Those approaches are expected to achieve zero trust “quicker” than the five-year, baseline approach, according to the roadmap document.
Resnick said the commercial cloud course-of-action is likely to be one of the “risks” in DoD’s approach. DoD will be conducting zero trust tests with commercial cloud providers over the coming year.
“On paper, it looks great,” Resnick said. “From a technical review point of view, it’s achievable, according to the cloud vendor, as well as our own analysis. But what really needs to happen and what will be happening is we’re going to be piloting it in an operational environment, and then we’re going to have red teams go after it and do real attacks.”
McKeown said DoD will likely pilot its zero trust approach with the four major commercial cloud providers involved in the Joint Warfighting Cloud Capability acquisition: Google, Oracle, Microsoft and Amazon Web Services.
“We gave them advanced copies of drafts what we’re working on,” McKeown said. “They were very encouraged that somebody had finally defined for them the things that they would need to hit in order to satisfy zero trust. . . . We have clearly defined a north star for these vendors and they were pretty happy with that.”
Resnick said there could also be some challenges with how DoD components decide to pursue the zero trust goals using its current architecture, a commercial cloud, the private cloud or a combination.
“There may be challenges from an integration point of view, and then deciding which one of the COAs or combination of COAs to choose,” he said. “But that’s something that we’re prepared to talk about as a portfolio office with the services and the [defense agencies and field activities].”
Component-level execution plans laying out “how Zero Trust is applied across their networks, including all infrastructure and systems,” are due to the DoD CIO’s office by Sept. 23, 2023.
“System owners are responsible for executing and enforcing the move to ZT and must understand risks associated with delaying implementation,” the strategy states. “Appropriate security controls, including potential refinements to how DoD implements the Risk Management Framework (RMF), must be designed and enforced to counter new attack vectors and emerging threats until a full rationalization of those systems can be conducted to either eliminate or modernize accordingly.”
DoD components are also being directed to pilot zero trust on three legacy systems over the course of the next year, according to the strategy. And one of the first key deadlines for DoD organizations is to log all network traffic by the fourth quarter of fiscal 2023.
By the end of 2023, DoD components should begin deployment of zero trust into production systems, according to the strategy.
Components will have to address funding for their zero trust plans through the annual budgeting process, the strategy states. “DoD CIO will work with Components to address any Component-level resourcing shortfalls, each fiscal year, within the annual Program Objective Memorandum (POM) cycle, starting with the next immediate submission. Additionally, DoD CIO will work with Components to submit requests for new funding to Congressional appropriators through the regular DoD resourcing processes.”
The zero trust portfolio management office will take metrics reported by the components and provide the DoD Cyber Council with a “combined scorecard,” the strategy states, “to measure this strategic plan’s progress and identify additional risks that need to be mitigated to advance overall ZT strategic objectives.”
The council will serve as the primary authority on both zero trust technical and strategic direction, the strategy states. It is co-led by the DoD CIO and the DoD principal cyber advisor.
“Executing and achieving the objectives laid out in this strategy requires the coordinated efforts of the Joint Force and the entire defense ecosystem,” the strategy states. “Everyone in the department has a role to ensure the success of ZT. While protecting data is central to ZT, successfully implementing our ZT framework requires that the entire Department understands and embraces a culture of ZT.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED