Zero trust cybersecurity is on everyone's mind these days, who is responsible for an information system.
Zero trust cybersecurity is on everyone’s mind these days, who is responsible for an information system. For an update on what is going on at the Defense Department, the Federal Drive with Tom Temin talked with Randy Resnick, Director of the Zero Trust Portfolio Management Office in the DoD’s office of the chief information officer.
Interview Transcript:
Tom Temin And maybe just help us by telling us how the office that you run fits into the whole DoD CIO structure. And there is a DoD wide zero trust strategy that’s going to take a couple of years, 3 or 4 more years till they get it done. Tell us how this all works from an apparatus standpoint.
Randy Resnick Ok, so mechanically this is good timing for this interview because we are two years at the end of January as a formed portfolio office, a zero trust portfolio office. Prior to the fornation of the Zero Trust Portfolio Office in the DoD CIO, there was no integrated, synchronized place in the Department of Defense that actually made sure that the topic of zero trust was being worked or synchronized across the services. So what senior leadership in the DoD three years ago was concerned about is that everybody would go their own way, and they would start building and installing potential zero trust solutions, and then you would have interoperability problems. And so they predicted that issue immediately and started working towards a synchronization office, which ultimately turned out to be a zero trust portfolio office. It was placed inside the DoD CIO and it reports directly to the DoD CISO, who currently is Mr. Dave McEwan. I report directly to him and he reports directly to Honorable chairman, the CIO.
Tom Temin And I imagine that there is some cost consideration here, too. If you don’t have to buy tens of thousands of different tools, it may not show up in any one place. But if every component is chasing its own zero trust toolset, I know they say zero trust is not a product, but it’s also not free.
Randy Resnick Two years ago, there was no definition of what zero trust meant for the Department of Defense, let alone the rest of the world. There were numerous confusing, vendors that were saying they had zero trust solutions, and then they were trying to sell these solutions to folks in the Department of Defense. And people were extremely confused because they didn’t know what they were buying and what outcome really was being achieved by buying a one off. So when we came on board and was formed as a portfolio office, that was one of the main things, the first things that we worked on is let’s define what zero trust needs to be and do, what outcome do we want to achieve, etc. So you’ll see, in the first year that we were formed, we produced a lot of foundational documentation in everything that we’re doing right now in the second year and forward is building on that foundation and actually executing on it now.
Tom Temin And of course, the Defense Department likes to talk in terms of milestones. And I think the end goal, I think is something like 26 or 27 for full zero trust. What are your milestones for 24? What do you hope to accomplish in this 11 months left of this year?
Randy Resnick So when we started out, two years ago, we tried to determine how long would it take an enterprise the size of the Department of Defense, which is very large, to move to a zero trust cybersecurity, configuration. It’s never been done before at the scale. And for many reasons. I’ll summarize it. We settled on five fiscal years, so that wound up for us to be the end of fiscal 27. So we set the deadline or a goal, the strategy that we had to achieve target level zero trust by the end of 27. So with the definition that we created for zero trust, which was 91 activities for target and 152 activities total for advanced zero trust, it would take five. We set five years to achieve target ZT. Target ZT for us was defined as the ability to stop and adversary lateral movement and exploitation of data. So that was a key outcome that we sought to achieve in our definition of the 91 activities we believe get you there. So in terms of what we are doing in 24, and 23 what we did is we worked to achieve and get a lot of resources, funding priority within department, a lot of outreach and most importantly, the Department of Defense’s implementation plans, which came to us at the end of October 2023, just a few months ago.
Randy Resnick Those implementation plans described at a granular, great detail, exactly how each component was going to achieve target level zero trust before or on the end 27. We have that right now and we evaluated all of it. I’m extremely pleased about what we received in the end. I can’t say better things about it. We are really in a good shape in terms of the plan. So what are we going to do in the remainder of fiscal 24 or calendar 24? It’s all about execution. In order to do execution, we have to experiment on configurations that could achieve target level zero trust. It’s easier said than done. What it requires is a number of vendors coming together, teaming and integrating their products together to achieve the 91 or the close to 91 activities. Not any single vendor is going to be able to achieve it on their own, that’s why I’m saying that. So we need to pilot or test these configurations to actually see if it hits target level zero trust. So that’s our plan. As a portfolio office is to demonstrate multiple multiple pilots across each one of our courses of action. So we could present to the components DoD at large many, many options that they could think about procuring or choosing in any configuration. So it reduces their risk of guessing whether or not something achieves target or not. And that accelerates zero trust implementation and gets us to end to 27 faster. That’s what we’re doing this year, is trying to orchestrate as many as maybe 12 to 15 pilots for the remainder of the year.
Tom Temin We are speaking with Randy Resnick, director of the Zero Trust Portfolio Management Office in the DoD’s office of the Chief Information Officer. And how do you prioritize where you begin with those 12 pilots? Is there a risk management type of flavor that comes into this, such that this is what we need to do most critically, this is the most important network that we have to protect.
Randy Resnick So we’re not looking necessarily at the networks. We’re looking more about the technologies. And something like that could only work if you already have like the solutions in front of you and then you could prioritize. The reality is that there’s not too many vendor configurations that have come our way in the numbers that would allow us to do it. So if we want to do 12 or 15 pilots, maybe there’s we’re aware of 20 configurations of partnerships amongst vendors that we’re aware of. So instead what we’re saying is that course of action one is installing zero trust equipment on the existing infrastructure that’s already laid down in the DoD. So we call that course of action one. Course of action two is a complete green field solution, where you going with a commercial vendor, a cloud vendor, a CSP cloud service provider to implement ZT for you in the cloud. And you would move your users, your applications, your data, your workloads into that new cloud, and you would inherit zero trust. There’s more to it, but basically that’s it.
Tom Temin Well, how does that tie into the big, you know, multiple award contract that the DoD just awarded? You know, I guess it was last year now.
Randy Resnick Right, [Joint Warfighting Cloud Capability (JWCC)]. So the four cloud computing vendors that won that award, those are the four vendors that we are engaging with to see whether or not they could hit target level or higher within a JWCC cloud. We’re not tied to the JWCC directly, but if you have a deadline of fiscal 27 to achieve zero trust, it’s obvious that anything that’s going on in the JWCC when we start approaching 27, it’s going to have to be zero trust compliant. And so those four vendors are aware of that today. And so that’s why we’re working with them and they’re working with us to start putting together the ideas and the functionality and the testing to actually assert or to assess whether or not they could achieve target or even advanced. And so that’s that’s what we mean by COA Two. COA three is an on prem cloud, there’s a number of examples of that like [Defense Information Systems Agency (DISA)] has their private clouds. Stratus is a perfect example of a private cloud. You could have an on prem private cloud anywhere in the DoD. There are benefits and use cases for on prem clouds. There could be some data and mission that simply can’t go on a commercial cloud, regardless of whether or not it’s JWCC or not. So in our strategy, we’ve asked the components to choose any combination of the three. So we have received in the implementation plans essentially a hybrid solution amongst COAs one, two and three that the services and the components are choosing to achieve target ZT across their entire domain. We’re very pleased by that. So getting back to the question, we want to do at least three pilots for COA one, three pilots for COA two and three pilots for COA three. So that we could present a smorgasbord that’s even that the services and components could choose from without leaving anyone out or prioritizing one over the other. And this will continue in fiscal 25 and beyond. So this list will grow over time. In fiscal 25 we’ll do another 12 to 15. So then you have 30 answers. Industry is starting to pick up on this pace the starting to get it. And we’re seeing very positive partnerships being formed now between multiple vendors to try to map out to the 91 activities.
Tom Temin And is there any way this maps over to the other big DoD wide effort, and that is the development of JADC2 and each Armed Forces component that will help make up the JADC2, giant network of networks and so forth. I would think zero trust is a huge consideration there too.
Randy Resnick I wouldn’t say zero trust is a critical path for [Joint All Domain Command and Control (JADC2)]. The term they use is it’s an enabler of JADC2. So it’s probably the number one amongst other equals for enablers of JADC2. It is extremely closely tied. So the success that we have in zero trust is going to enable the success of CJADC2. There’s other subtleties in our success of zero Trust, which JADC2 will benefit from. Data tags and labels is an example of that. That is critical for CJADC2. You need to be able to understand the data packets or the data that’s going across. So you could do your analytics, your visibility things. So there are commonalities between both programs that we are tackling in our program. That is laying the groundwork for an easier path forward for JADC2. And we’re working very closely with the Joint Staff and others to keep them up to date. They’re very tied with us and vice versa, and we are very aware of what’s happening in JADC2, it’s critical.
Tom Temin And that gets to the idea 2 in zero trust that you are not simply thinking about human users of any network or system, ultimately, but also automated users and all the things happening on micro segments and bots, whether they’re your bots or the bad guys bots.
Randy Resnick Yes.
Tom Temin So maybe discuss the thinking there.
Randy Resnick Beyond the user, which everybody typically says, of course, you have to identify and have have an identification of a user. Zero trust goes much further than that. You have to actually identify a device. So it’s the user and the devices that need to be authorized and authenticated before you could even get onto the network. So these are much more advanced concepts than we’re implementing today on the doted on the nipper and the zipper. So the implementation of zero trust is really it’s a forcing function for implementing the absolute best practices in cybersecurity that we have been talking about for 20, 30 years, that for one reason or another, we’ve had very hard difficulties to implement individually within the Department of Defense. So finally, there’s a program that can do that. But there’s a concept in zero trust called policy information point, a policy enforcement point. So these these policies and these points of decision would look at the flow of data that’s happening across the network. And if they don’t like what they see, or if something violates a policy that is not allowed, it will automatically essentially stop that transmission. So a lot of what I would say is the noise that’s in existing networks that are going across the DoD, they would cease to exist in a in a zero trust world in the future. So the the networks will be kind of quieter. You’ll have higher bandwidth, but the noise floor will be significantly cleaned up. And the traffic that’s only going across the networks would be traffic that’s only allowed. And any traffic that’s not allowed would be blocked as quickly and as early as possible.
Tom Temin We were speaking with Randy Resnick, director of the Zero Trust Portfolio Management Office in the DoD’s office of the Chief Information Officer. And it sounds like that would have a big effect on the way you approach security operations centers and network operations centers, where there is less noise and therefore less engagement of people on.
Randy Resnick So it’s interesting that you bring that up because that’s actually, a huge current subject that we are entertaining now with [Joint Force Headquarters – Department of Defense Information Network (JFHQ-DODIN)], which is attached to us Cyber comm, because the question is in a future zero trust infrastructure, what signals do they need to receive in order to command and control activity to stop adversary maneuvers? So in the event that an adversary is moving around, the noise on the network would be a lot lower. They would be able to see and detect needles in haystacks, visibility and analytics due to technology that is, exploded just in the last two years. AI, for example. In LLMS. So we’re entering a phase now where the planets are lining up where I believe and I’ve said this, we’re going through almost a renaissance or a new phase in cybersecurity defense. Folks have been very focused on offense for quite a while, but defense has always lagged in terms of actual implementation on the ground. And now I believe I see it is we’re playing significant catch up and putting down true defenses for cybersecurity via zero trust. But also technology is coming to bear now that didn’t exist a few years ago to allow us to get past the human in the loop. And we can automate a lot of the things that have been problems in our past.
Tom Temin But you would probably want to have some kind of, let’s call it meta noise as you reduce the noise in the network and therefore free up operators to do other things. You would still need to know, I would think, the trends in what it is that’s being blocked, because somehow those have a way of developing something that will be trouble.
Randy Resnick So that information gets logged and those logs would be analyzed. So what gets blocked would be logged in, analyze and captured. But also the good traffic is also of interest. Because it’s not only what’s happening and what’s flowing, but from an identity point of view it would be nice to know what Tom looks like on a particular day, so that if something unusual is happening at your desktop or your log on, that is way off Tom’s, let’s say, biometric or your daily activity that actually will get flagged. So zero trust has those subtleties too. And that is part of the implementation of target is modeling some of these things as part of a multifactor authentication and the continuing authentication throughout the day.
Tom Temin That means you need to keep up. Getting back to the people aspect of this, keep up with where people, especially those that are uniformed, that are moving around a lot and may end up transferred to another base, another camp, whatever city. That wait a minute he was in Fort Hood or whatever they call it now last. And now he’s on the West Coast or something, or she’s on the West Coast.
Randy Resnick And there there are unique pieces of information on our Cathcart as the example for the DoD or the military, where we can track a user at least from one perspective, wherever they are or wherever they’re signing on. If they’re using that device, they are uniquely identified. And so that would be one way that we would do that.
Tom Temin And finally, how are you getting the continued buy in of the many, many quasi independent components, both within the armed services, other large DoD agencies, to listen to what’s happening from the CIO’s office? I guess that’s an eternal question.
Randy Resnick Yeah. So I’ve been very lucky in the sense that I have leadership above me that has, without question and in synchronous and synchronicity, have been championing the need to move to zero trust. It starts from the secdef on down, at least in the DoD, and it’s repeated numerous times. All the time. It’s in everything. But if you recall, there was an EO 14028 which came out from the president, which signed out the need to move to zero trust. So the zero trust is much more than a DoD thing. It’s an all of government, all of US federal government thing. And so we are partnering purposely with the fed safe community to make sure that they know the direction that we’re going, how we define zero trust, what our strategies are. And they have mimicked to the extent that they are doing so. They’re mimicking our path, our definition, our way of thinking about zero trust. The IC community is also thinking of that surprising to me. The Five Eyes, NATO and other allied partners are also looking at the Department of Defense because not only have we been really first maneuver in zero trust in defining all of it, but we’re moving out much faster in industry. We are really lucky to have a leadership position, and everybody is adopting our work because our work is so expensive. It just saves them years of eventually getting to the same place. So it’s a quick way for them to catch up and then to decide what they want to do. So getting back to DoD CIO, Honorable Sherman, has been a tremendous champion of zero trust. Everywhere we go, we talk about in conferences, ZT, we have agencies talking about it. And so essentially, it’s an absolute mandate that everybody recognizes and they don’t question it. So it’s like I’m using one finger to open up 1,000 pound door. It swings open. It’s really not been a challenge, which has been a huge help for the portfolio office, because that’s allowed us to move out extremely quickly. So you would think that we would have these challenges since the DoD is so large that has not been the case. What has been challenging is resources and funds, but that is just an annual cycle, and it’s to be expected.
Tom Temin An annual cycle that could begin any given random month of the year, the way things operate.
Randy Resnick Every month of the year, there’s always a phase.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED