When it comes moving toward a zero trust architecture, the Department of Navy is still in the discovery phase.

For six of the seven pillars of the Defense Department’s zero trust maturity model, the DoN is conducting a gap analysis, identifying applications that are permitted on the network, the routes to and from authorized users and understanding what aspects of zero trust principles already are in place.

Tony Plater, the chief information security officer for the Department of the Navy, said this data will information the service’s internal roadmap and prioritize areas that are most risky.

“The key thing is zero trust in this whole modernization effort is benefiting not only cybersecurity, but benefitting our overall modernization effort. So this will just go on to leverage all that we’re doing with zero trust and zero trust will leverage all that pre-work we’ve been doing under the identities management and ICAM modernization,” Plater said on Ask the CIO. “We have a concert effort going on that embraces all the principles of zero trust, assume trust is a vulnerability, never trust, always verify, deny by default because we need to presume breach. Zero trust is not a single tool. It’s not a product, but a collection of capabilities. It is a culture that we are espousing to that we are working together closely within the DoN with a North Star being scalable, resilient, auditable and having a defensible architecture.”

The one area where the Department of Navy is more mature is in the identity and access management pillar. Plater said the Navy Identity Service (NIS), an enterprise system.

“Much of that is driven by what we need to do with zero trust and much of that is driven by the DoD financial audit. We had to address certain weaknesses associated with that audit, where we’re already moving down the road of this concept of a centralized identity services system. That is also a big enabler for where we’re going with zero trust,” he said. “We’ll still leverage the common access card in the same manner as today, use the existing infrastructure certificate authority to validate users and ingest identities that originate from the Defense Manpower Data Center. But the key thing is once a user’s CAC has been activated, a user no longer needs to be on a network. We have this vision that we will be able to more quickly detect a change in their status and immediately reach out disable a user’s account so they can no longer access the various systems scattered across enable enterprise.”

The policy, pilot angle for other pillars

The Department of Navy already started implementing NIS across its enterprise resource planning (ERP) program, ERP and will continue to expand it to other applications over the next year or so.

As for the other pillars of DoD’s zero trust maturity model – device, network, application, data, visibility and analytics, and automation and orchestration –Plater said the DoN is working the policy and pilot angle.

Over the next few months, the DON chief information officer’s office is working on several new policies to help institutionalize the concepts around zero trust.

Plater said one is around the move to DevSecOps. The Navy launched its Black Pearl initiative, a platform to begin standardizing its approach to DevSecOps, earlier this year as part of its 2022 campaign plan and roadmap.

“We have a concerted effort to adopt those new security, coding tools and practices associated with DevSecOps. This agile coding methodology aims to bake security into software early into development,” Plater said. “We have teams that meet on a weekly basis who are working toward establishing all the right guidance, policy and processes that it really takes to certify pipelines that will produce this will produce secure coded products.”

He said the guidance will come from his office as well as signed by the Navy and Marines Corps CISOs.

Breaking DevSecOps barriers

The DoN is working toward a continuous authorization process where software goes through a series of security gates every day. Plater said this would be a culture change for the department to break down real or perceived barriers to DevSecOps.

“We are talking about doing business differently. We’re talking about continuous integration, continuous development pipelines. We’re talking about software being developed with the goal that once that software is ready for deployment, in some cases, being able to be automatically deployed. Those are all major changes in how we do our processes,” Plater said. “You also have to show the value of the change, and you have to show how you doing the change in an acceptable level of risk. In many ways, we are working with our workforce to continue to train them. We also have to show the value to leadership that we are doing it in an effective and acceptable level of risk to make the change.”

Over the longer term, Plater said he would like the DevSecOps teams to have a bank of tested and secured software code to pull from as they develop applications.

This concept also fits into the modular development approach that goes a long way to ensure security.

“We’re going to use a variety of manual, automatic and dynamic testing. One of the key things, as part of our Cyber Ready concept, is we want to look for where we can incorporate penetration testing and adversarial testing early in the process. That’s something else we want to make sure from a Department of Navy perspective, we expand our use of adversarial testing, or as you would say, via blue teaming as part of this whole development process,” Plater said.

Cyber Ready memo coming

The DoN’s Cyber Ready initiative, which focuses on continuous monitoring and ongoing risk assessments, is another step in the zero trust journey, and where Plater said new guidance and pilots are coming.

“Within the next 60 to 90 days, we expect we will release a strategic intent memo which will outline our expectations of the services,” he said. “Then following that, those pilots will be used to help us guide actual policy and inform us as we continue to work closely with DoD to share what we’re learning to help, where it makes sense across the department.”

The move toward Cyber Ready isn’t just a matter of changing security or technology. The DoN is folding in its acquisition workforce as well as the mission owners understanding how to measure and mitigate risks.

“We feel we need to measure cybersecurity differently, which means more holistically with a risk and readiness mindset. It’s not just patching. It’s not just trying to keep up with every cyber vulnerability because of resource constraints. It’s understanding what are the risks, where the threats are and being able to prioritize and go at it and measure cybersecurity differently,” Plater said. “Second, we need to accelerate our authorization process. We talked about modernizing the Department of Navy infrastructure, well, we have to look at how we can accelerate that authorization process with an acceptable level of risk. We are looking at what is the minimum viable product that we need to assess and make a risk decision on in order to enable speed to capability.”

Plater said the CIO’s office understands the DoN will not transform overnight.

“I think the modernization, the implementation and maturity toward zero trust is putting us in a better position to better protect our data and to meet all the challenges we have within this cyber contested environment,” he said.