DoD to automate assessment of zero trust implementation plans

In November, the Defense Department’s chief information officer’s office received 39 zero trust implementation plans from the military services, defense agencies and combatant commands. 

It took 35 full-time staff and nearly four months to review those plans, provide tailored feedback and receive final versions with all recommendations incorporated.

Randy Resnick, the director of the Zero Trust Architecture Program Management Office in the DoD CIO’s office said the lesson they learned about the process is that they can’t repeat it again.

“It was a tremendous effort. We really can’t repeat this process, it is untenable. 35 people across almost four months full time, you start adding up the resource costs of that and that’s not something that we could do on an annual basis. So it became apparent to us that we need to automate this process. We need to put it in electronic form where we could actually apply AI tools to actually ask questions and to achieve answers based on the submissions. That’s where our head is going right now,” Resnick said during the DoD Zero Trust Symposium Tuesday.

The DoD CIO’s office mandated all defense components to submit an updated version of their zero trust implementation plans every October, laying out a detailed approach to achieve the target zero trust architecture by 2027. 

The goal is to streamline this year’s review of zero trust implementation plans so it is not such a labor-intensive and time-consuming process. 

“Suffice to say, we will be automating our implementation plans and we will be explaining exactly how to do that with all the components. The plans that we may get in October will be much more streamlined, automated and with the goal of ensuring that we do not need anymore 35 people full-time for three and a half months,” said Resnick.

Accelerating zero trust pilots

The DoD CIO’s office’s plans this year include accelerating zero trust pilot development. The office is lining up about 15 pilots that span across the first course of action, which is adding tools to the existing infrastructure; the second course of action, which relies on commercial providers to develop zero trust compliant cloud; and the third course of action, which is an on-prem, private cloud.

“We want to do examples of proof of concepts across all three at both levels of target and advanced. If we’re able to achieve target or advanced zero trust within these examples, they would be examples that the components could look at and reduce their anxiety level that it’s impossible to implement zero trust and before the end of 2027,” said Resnick.

If the office is able to come up with potential solutions that are independently assessed and proven to hit the target level, it will demonstrate that a particular combination of vendors or products put together in a specific configuration can get the services to their zero trust destination.

Lack of appropriations stalled the effort but now that Congress passed the 2024 defense budget, Resnick’s team will be able to move forward with the pilots with the goal to complete those by the end of 2024. 

Updates to strategy’s activities

While the strategy to guide DoD’s cybersecurity priorities will not be modified, Resnick said his team will introduce minor changes to the activities portion of the strategy.

There will be a slight update to the activities chart, but the number of activities will remain the same. Resnick said the updated version will be public by the end of summer.

“The strategy is sound, what will be modified is the activities descriptions. We found spelling errors, inconsistencies, unclear language in some of the descriptors for certain activities,” said Resnick.

No plans to update reference architecture

Resnick said there is no plan to update the zero trust reference architecture, which is currently at version 2.0, this year.

But concerns around the existing reference architecture being too DoD-focused have surfaced in the past several weeks. 

Resnick said he is open to the idea of assembling a working group to help them with updating the current document.

“If there’s a consensus of folks out there that want to help us update the reference architecture, I’d be happy to entertain a working group that would go about doing that,” said Resnick. “We could set something up and update the reference architecture appropriately to version 3.0. So I’m open to that.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.