The Defense Department’s journey toward zero trust took an important step yesterday with the expected delivery of 43 plans of actions from the services and agencies.
These roadmaps spell out the steps each of the services will take to achieve the target environment by 2027.
Randy Resnick, the director of Zero Trust Architecture Program Management Office in the DoD’s CIO’s office, said his team wanted to make sure they were reviewing and rating everyone fairly and through the same set of metrics. Resnick said the CIO’s office created those measures between February and July.
“That led into basically coming up with a table of contents, a very prescriptive table of contents that we wanted to see in this plan, literally chapter-by-chapter and section-by-section and then a whole bunch of appendices as many as 10, with Excel spreadsheets that were already pre-populated with exactly what we wanted them to insert by the X and Y axis’s. So there’s no ambiguity of exactly what the portfolio office wants to get,” Resnick said at the Cyber Beacon Conference sponsored by the National Defense University on Oct. 19. “Then on top of that, we held monthlies with the components. We held quarter releases with the components, and we also held one-on-ones off schedule with the components with anybody that had any questions about how to prepare the implementation plan. So suffice to say everybody is in lockstep right now. We’re expecting to get these plans and whether or not they exceed our expectations will meet our expectations, that’s to be determined. We are confident that probably 80% to 90% will, but there will be some that we’re going to have to go back and forth.”
Resnick said he would expect some plans will need some help or need to provide more details so those discussions will continue over the next week or two.
The plans will be broken down by the different infrastructures whether on-premise, hybrid or all cloud.
“Without getting too deep, it’s improve on the ground, our course of action one, our commercial clouds course of action two or a private cloud, and course of action three that will be a mix of all that,” he said. “We’re going to get all this data and will be really busy, heads down. But at the end of the year, let’s say mid-December, we’ll have a really good picture of exactly where the department sits on that.”
DoD released its zero trust strategy and implementation plan last November. It lays out four strategic goals: zero trust culture adoption; DoD information systems secured and defended; technology acceleration; and zero trust enablement. The strategy included 45 separate “capabilities” organized around seven “pillars:” users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
DoD to brief Congress
Over the last year, the military services and Defense agencies have been reviewing and analyzing their current cyber capabilities and what gaps exist. These plans are a roadmap to close the gaps.
The journey over the next four or so years to close those gaps will come under more scrutiny than typical of a DoD effort.
Part of the reason for this is the interest of Congress, which added the requirement for these zero trust implementation plans in the 2023 defense authorization bill.
Partly because of that and partly because of how important the move toward zero trust is for all of the government, the DoD CIO’s office will take the oversight lead initially.
“Our plan is that we’ve assembled probably the equivalent of maybe 17 or 18 full-time equivalents (FTEs), probably about 25 people, if you count them all, to spend the next four to six weeks analyzing every one of those plans and measuring the success of those plans, and whether or not they’re giving us the information,” Resnick said. “We want to know how every single component is going to be hitting target level zero trust or higher by fiscal 2027 or earlier, and a layer on top of that is how are they going to achieve it.”
After the internal review, Resnick says DoD will send a report to Congress in December and brief lawmakers in January.
Along with these plans of action, DoD also is helping the services and agencies through the Thunderdome initiative from the Defense Information Systems Agency. It kicked off its zero trust pilot through an other transaction agreement (OTA) back in January 2022 and moved it into product under a $1.9 billion dollar production OTA in August to Booz Allen Hamilton.
Thunderdome is not a tool, but a collection of capabilities like software-defined networking and security access service edge or SASE.
DISA expands zero trust initiative
Imran Umar, a vice president and cyber leader at Booz Allen Hamilton, said by the end of November most of DISA will be transitioned to Thunderdome.
Umar added a lot of the new capabilities under Thunderdome are leaning on artificial intelligence and machine learning tools.
“Right now we’re integrating and rolling out products from Microsoft like Defender, Sentinel and Intune. We are now integrating them with Thunderdome, correlating that data we are recollecting from a software-defined perimeter zero trust edge. That’s hard to do manually. That’s hard to do through manual collections by IT security analysts,” he said. “One of the things we’ve done is partnered with the Chief Data and Artificial Intelligence Office and are now implementing AI and machine learning as part of our visibility and analytics pillar as we roll out Thunderdome. It’s been extremely helpful.”
Umar offered two examples of where DISA is applying AI/ML capabilities.
One is a domain generation algorithm (DGA), which protects against common threat vectors that comes through domain name systems, and the second one, which is called Sherlock, goes after HTTPS based attacks, which traditional signature based models do not detect those threats.
Umar said both of these tools are letting security analysts doing data analytics and visibility in new ways.
“When you start adopting zero trust, you’re collecting a lot more telemetry and just sending all that data into your traditional security event and incident management (SEIM) tool is no longer scalable. So partnering the CDAO, we implemented a streaming analytics pipeline,” Umar said. “The idea here is we are collecting all the sensor data from endpoints and intrusion detection and prevention systems, and in line we’re enriching that data, normalizing that data and we are deploying machine learning models on that streaming analytics pipeline. The value of that is as the data hits the wire, we’re applying intelligence to that data so by the time that data hits the SEIM, the analyst already has all the data they need to take actions.”
Risk management crosswalk
The military services and defense agencies also should be getting more help on their zero trust journey in the coming month when the DoD CIO’s office releases the cross walk between the Risk Management Framework and National Institute of Standards and Technology special publication 800-53.
Resnick said the RMF process will have to work with zero trust and that will not change.
“What will change however, is the controls that you have to apply. We’re about to publish, probably in two or three weeks, the zero trust overlay to NIST 800-53, Rev 5 that we’ve worked very hard on for close to a year and a half. It’s been circulated around the DoD components at least twice, if not three times. We’ve triaged all the comments and it’s in a final form. So basically what we’re doing right now is dotting I’s and crossing T’s and probably [DoD CIO John] Sherman will sign it out,” he said. “Then it will go out in the public and in parallel we’ll move it over to the Committee on National Security Systems (CNSS) and we’ll try to make it a CNSS standard for zero trust.”
Resnick said the military services and defense agencies would apply this zero trust-800-53 overlay to future cybersecurity efforts that are going through the RMF authorization process.
“That document along with the requirement to hit close to 91 activities for target level, the two of them together will reinforce each other, and that will validate and verify each one of them separately to achieve what we’re trying to achieve, which is to stop the adversary, stopped the lateral movement and stop the exploitation of DoD data,” he said. “It’s a crosswalk to the activities and some activities will have more than one control that has to be applied. We will crosswalk our zero trust overlay or the controls to the activities, and if a control is applied in more than two places, it will also be directed to two places. The subtlety of what the control does in the different places, if it happens to hit, let’s say, different pillars, that control has to do two separate different things in each one of those pillars, and we will describe that and it is described in the document. If you take a look at the strategy, and especially the implementation plan that we published, we were very, very detailed purposefully so, so there was no confusion as to what a user or a vendor has to implement. Same thing with the controls, we follow the same simplicity. Wherever there is ambiguity, they went back and they worked the language so that, a high schooler could understand exactly what we’re looking for.”