The Defense Department’s zero trust portfolio management office is going on the road. Over the next few months, DoD leaders will meet with combatant commands to further press the importance of this new cybersecurity approach.
The road show is just one way the portfolio management office is leading the effort to meet the Pentagon’s 2027 deadline to implement zero trust.
Randy Resnick, the director of the Zero Trust Portfolio Management Office at DoD, said training, education and listening are huge factors in ensuring this program’s success.
“There can’t be enough training for zero trust. We are working with Defense Acquisition University to come up with training courses, which they have done. I believe we have five courses already that anybody in the Department of Defense with a common access card (CAC) can get to and take,” Resnick said during the FCW Zero Trust Summit on Tuesday. “It’s not mandatory for anybody to take the zero trust courses, but we’re working toward that model where it would actually either be mandatory to take the ZT 101 or thereabouts or roll it into the existing cyber courses and essentially update the cyber course to include zero trust. This is how we’re going to get the workforce upskilled.”
He said the other way to upskill the workforce around zero trust is by hiring employees right out of college, who already have been initially trained on the zero trust concepts.
DoD also will be hosting their second annual ZTA training event in early April and expects to have over 1,200 people as another opportunity to promote the why of zero trust.
The training and education extends beyond courses. Resnick and his team have two trips planned over the next month. One is to Colorado Springs to Space Command and Northern Command, and then they also will go to Africa Command in the coming weeks. He said PMO leaders in January went to European Command.
“What we’re trying to do is to talk about zero trust, the importance of it and talk live about what their requirements are, and talk about their implementation plans,” he said. “This is an opportunity for us to get face-to-face and create those relationships.”
DoD to brief Congress
Those relationships become more important as the PMO continues to analyze the implementation plans each military service, defense agency and combatant command sent in last October.
Resnick said his team and 35 others from across the department are in the middle of a deep dive of the 39 implementation plans now, looking for trends and trying to understand where the challenges and opportunities lie.
“Even though this was the first implementation plan to be delivered to us in October, we’ve mandated that there’s going to be annual updates. Every single October, there’s going to be an update to their implementation plans, providing more granular detail on exactly how they’re going to get the target,” Resnick said. “Next time, we want to see product names, specific courses of action and scheduling. We want to really dive deep on what they need in terms of dollars and resources. One year, for me, is too long so we’re contemplating getting mid-year updates. For example, we might get an update on half the plan the first six months, and break it up, and then the other half of the plan the next six months, so, at least, we’re keeping to some updates to modernization with the implementation plans.”
Resnick said a few trends already have emerged including the need for extra funding and resources to meet the 2027 deadline. He said that wasn’t surprising, but his team can help the services and defense organizations make a case for moving money or resources around through the existing Pentagon process to fulfill these zero trust plans.
Along with the deep dive, DoD is preparing a report and briefing for Congress to happen in March.
“We have to brief Congress on how the Department of Defense is going to [meet ZTA requirements], and whether or not we’re going to hit target by the end of 2027,” Resnick said. “Specifically, which component and organization are doing what. We don’t know how long that’s going to be, but we’re expecting it to be a pretty extensive detailed briefing because officially, even though I’ve talked to many, many staffers, they’ve not gotten a real deep dive on zero trust in over a year. So I’m imagining they would want a nice update.”
Zero trust products pilots on tap
Helping DoD move toward zero trust is more than just reviews and meetings. Resnick said over the next year DoD CIO’s office will lead an effort to look at products.
“We’re essentially going about installing products right now in the system. This year, we are focusing on performing pilots. We’re going to be performing more than 12 or 15 pilots, that is assuming the continuing resolution (CR) gets lifted,” he said. “We plan on accelerating our pilot development and finding those that we could provide to the services and the COCOMs, so that it lowers their risk for them to procure these devices.”
Resnick said he hopes to get the pilots completed by the fourth quarter of 2024 or the first quarter of 2025 to help DoD keep to its schedule to meet the 2027 deadline.
Additionally, Resnick said DoD is expecting companies providing these products to actively team together to integrate their products. He said this is critical for DoD to be successful with zero trust.
“We need to have companies working together to integrate their products, instead of competing against each other on an individual product, in order for us to really get to this zero trust destination that we want,” he said. “The whole vision is essentially to transform the DoD Information Network (DoDIN). There is a lot of work ahead of us, and a lot of new products may have to be purchased and implemented in order for the DoD to get there.”
DoD likely to update strategy
The DoD PMO also is starting to consider how to expand zero trust beyond traditional IT. Resnick said there is some concern that DoD is missing a number of other attack vectors in its strategy like weapons systems or operational technology.
“Those other vectors that we need to apply zero trust to have not been addressed in the fan chart or in the strategy that’s out there right now. The ZT-PMO is now thinking about coming up with additional fan charts for very specific technologies because these very specific technologies don’t necessarily overlay perfectly with the 91 activities or the 152 for advanced zero trust target,” Resnick said. “For example, when it comes to defense critical infrastructure or operational technology or internet of things, these are vectors which could be attacked, theoretically, and bad things could happen. We’re thinking about doing a ZTA overlay for defense critical infrastructure. Another one is weapons and weapon systems. Those need to be secured as well. They’re different. We need to have perhaps a ZTA overlay for that. The last thing is the environment of a disconnected or marginally connected environment. We need a fan chart for that.”
A fan chart is just a way to show the alignment between the zero trust pillars and the technologies needed to secure them in each of these vectors.
Resnick added he’s not sure when the PMO will begin working on these overlays, but it’s on their longer-term radar.