DoD evaluates zero trust use cases, cloud providers

The Pentagon is also working with major cloud service providers like Microsoft and Google to evaluate their zero trust implementations.

The Pentagon is putting its zero trust use cases through the wringer, including ongoing evaluations of how major cloud providers are implementing the cybersecurity architecture.

Les Call, director of the Defense Department’s zero trust portfolio management office, said the ZT office has signed up 18 distinct “proofs of concept” for zero trust across DoD. Call said 12 of those concepts are “completed, ready to be assessed.”

“We boiled it all down to use cases,” Call told Federal News Network after presenting at ATARC’s Federal Zero Trust Summit in Reston, Va., last week. “And so every one of those, we want a separate use case which can be broadly applied across the DoD.”

The proofs of concept range from a ship-to-shore connection sponsored by Naval Sea Systems Command to the Defense Information Systems Agency’s work on federated identity, credentialing and access management (ICAM).

The Pentagon’s zero trust strategy lays out a goal to achieve a “target” level of zero trust across all DoD components by fiscal 2027.

Call said proving out use cases that apply broadly across DoD will allow the department to “leap frog” a more linear process for achieving zero trust architectures across 43 distinct DoD components.

“If we can come up with use cases that satisfy a particular need where we can just say, ‘Hey, these vendors have already accomplished this, or this group of vendors has already accomplished this,” absolutely fabulous because that then gives people an opportunity to shortcut and get there faster,” Call said at the ATARC presentation.

The portfolio management office is working with MIT Lincoln Labs to create a “zero proving ground,” Call said, where proofs of concept and specific technologies can be tested.

“So that we can then send vendors over to MIT Lincoln Labs, they can evaluate their solutions, and then they’ll go onto a list, which we’ll then send out to the 43 components, and say, ‘Hey, these are people that are certified. They reach these activities, they interoperate with these other tools. So if you’ve got this, it’ll work well with this,’” Call said.

Cloud service providers will also play a major role in DoD achieving its zero trust goals. Call said he has been working with all four CSPs under DoD’s Joint Warfighting Cloud Capability contract: Amazon, Google, Microsoft and Oracle.

Call said DoD has already completely assessments of Microsoft Azure and Google Cloud.

“The initial request is you need to meet target 91 [zero trust activities] and then once you do that, you need to work on advanced and get as close to those 152 that you can get, and allow us to assess that complete environment,” he said.

DoD is also set to receive updated zero trust implementation plans from military services and defense components this month.

Zero trust red teams

Call said his office has worked with the National Security Agency to develop a “zero trust readiness assessment tool.”

“It basically asks you a series of questions, and helps you to map where you are on your activities and give you a score,” Call said.

He also urged DoD organizations to ensure they are ready for a zero trust red-teaming assessment. DoD currently only has two certified red teams available to conduct zero trust assessments. Call said organizations that fail the formal assessment will be sent to the back of the testing line.

“We’d like to do more, but there is a heavy cost with doing those, unfortunately, and even at the at the DoD level, it’s not an endless pot of money,” Call said. “That is absolutely a bottleneck, and our plan is and hope is that once we get to a certain step, we’re going to turn that over to the services, and say, ‘It’s your responsibility to assess your environments.’”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories