Army looks to zero trust to secure its networks

As the Army works towards meeting aero trust goals, it has to integrate the security into multiple networks and the defense industrial base.

In a nod to West Point’s Black Knights, the Army tentatively named its new zero trust cybersecurity plan “Knights Watch” as it moves to secure its network and cloud services by 2027. The plan marks a move away from a periphery network system of cyber defense like the “none shall pass” strategy of Monty Python’s black knight to a focus on authentication and coverage within the network.

The move forward needs to be fleshed out by October, the Defense Department’s deadline for receiving zero trust implementation plans from the service branches. The process has to pull together a variety of cybersecurity elements according to Maj. Gen. Jan Norris, the Army’s chief information security officer and deputy CIO.

“We’ve got to migrate our existing infrastructure, and the capabilities and tools we invested in this thing we’re calling Knights Watch, zero trust. DoD says, ‘Hey, come back with a plan to do this by 2027.’ We’ve got these objectives and activities we need to align to. And so that’s going to take a lot of work,” Norris said in a webinar hosted by Defense One.

Norris said the Army had big hurdles to overcome in moving to zero trust because of the way its networks are set up. They have traditionally used firewall protection, now they need to be protected both from the outside and from intrusion within the network itself.  Additionally, the Army has networks both within the continental United States and outside it, including a European network.

“Zero trust will provide better cybersecurity because it will permeate every part of the network by tagging data, providing identity and credential management for devices, as well as individuals and implementing attribute-based access control,” said Maj. Cory Dombrowski of the Army’s zero trust functional management office.

In order to meet DoD’s zero trust goals for having a strategy in place this year and then moving forward to 2027, the Army needed a cohesive plan to overhaul security, and it had to be done in concert with moving data to the cloud. That’s where Knights Watch came into play.

“It’s everything from redesigning our infrastructure, to applications to event management, network management, incident management. It’s collapsing down networks that are older or aging infrastructure and bringing them more in line with current infrastructure. It’s the overall program for everything in front of you,” Dombroski said in an interview with Federal News Network.

Among the obstacles the Army faces in trying to meeting its zero trust goals, they are developing the trained staff, civilian and uniformed, to administer the programs.

“We’ve got a timeline to do this. It’s going to take time, money, and most importantly, it’s going to take talent.  We’ve got to have the skills in some of these specialty areas. And if we can’t get them, what we typically do is go out and contract it, you find an industry partner who can do it for you until you can build train personnel, whether they’re in uniform, or civilian clothes. That’s going to get us to a point where we’re more resilient, and we’re going to do it,” said Norris.

As the Army’s zero trust architecture expands, new areas crop up that need a policy to get them into protective coverage. Norris said his agency needs to build a roadmap to cover critical infrastructure.

“We’ve got to revise the policy. We’re doing it right now for zero trust. The Internet of Things, operational technology, things that we’re connecting to our network now. And what are the rules and policy implications for that?” Norris said. “Our munitions plants, depots, arsenals, these systems and components within the Army that are used in our industrial base to manufacture things. We’re connecting those things, sensors, monitors, you name it, to our network. Again, that terrain is expanding.”

 

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories