The Department of Defense (DoD) published the Zero Trust Strategy and Roadmap document for migration to zero trust architecture from the traditional network security strategies to counter evolving cyber threats against federal networks.
According to DoD’s acting chief information officer for cybersecurity, David McKeown, the department spent a year developing plans for migrating to zero trust architecture by 2027.
The plans include establishing a Zero Trust Portfolio Management Office to accelerate the adoption of zero trust.
“With the publication of this strategy we have articulated the ‘how’ that can address clear outcomes of how to get to zero trust — and not only accelerated technology adoption, as discussed but also a culture of zero trust at DOD and an integrated approach at the department and the component levels,” McKeown said.
According to McKeown, the zero trust architecture assumes a breach has already occurred within the network boundaries and responding accordingly.
The roadmap follows the May 2021 Executive Order on cybersecurity directing federal agencies to create a plan for migrating to zero trust architecture.
DoD outlines zero trust architecture goals
DoD CIO John Sherman said that every DoD member must adopt a zero trust mindset, regardless of whether they work in technology.
By moving past perimeter-based defenses, the DoD aims to reduce the attack surface, allow risk management and data sharing in collaborative environments, and limit adversaries’ activity within federal networks.
The Zero Trust Strategy and Roadmap identified four strategic goals. These include enhancing zero trust cultural adoption, making DOD information systems secured and defended, technology acceleration at pace or exceeding industry advancements, and zero trust enablement to ensure synchronization with zero trust principles.
Agencies must achieve baseline zero trust compliance
The DoD zero trust strategy identified 90 capabilities to achieve the “targeted zero trust” while another 62 capabilities would help achieve “more advanced zero trust.”
“We have a definition of what it takes to check the box and fulfill that particular capability. Those 90 capabilities are going to get us to what we’re calling targeted zero trust,” McKeown said at Billington Cybersecurity Summit.
The DoD and its partners have also worked out 45 separate capabilities and 100 activities necessary for achieving baseline compliance with the zero trust architecture. These capabilities reside in the targeted level or advanced zero trust levels.
Every agency across the DoD will be required to achieve targeted zero trust, while some may achieve advanced levels. However, McKeown advised agencies with a “greater need to secure their data” to adopt advanced zero trust. He also suggested that the advanced zero trust levels might be required for national systems, although not necessarily mandatory for every system out there.
According to Randy Resnick, the director of the Zero Trust Portfolio Management Office, the target level is the minimum requirement for “containing, slowing down, or stopping” an adversary from exploiting the DoD’s network.
“DOD zero trust target level is deemed to be the required minimum set of zero trust capability outcomes and activities necessary to secure and protect the department’s data, applications, assets, and services, to manage risks from all cyber threats to the Department of Defense,” Resnick said.
Resnick also clarified that the baseline level does not translate to a lower security standard and would remain the mandatory compliance level.
DoD to engage vendors in implementing zero trust architecture
The roadmap aims to implement zero trust on existing IT infrastructure, commercial cloud environments, and government-operated private clouds.
The DoD has held consultations with commercial cloud providers on implementing zero trust architecture on their infrastructure.
“We asked them, ‘Can we implement zero trust in your current cloud?’ And they came back to us with numbers that seemed to indicate the answer was yes,” Resnick said.
However, Resnick warned that no provider could meet all the 90 capabilities outlined in the zero trust architecture. Thus, vendors must team up to develop a solution for the Department of Defense.
Microsoft lauded the DoD zero trust strategy roadmap, claiming to have a “full array of fit-for-purpose security tools to achieve zero trust outcomes.” The tech giant also said it has an open ecosystem with more than 90 zero trust partner solutions that could allow it to achieve advanced zero trust levels.
Meanwhile, the Defense Information Systems Agency (DISA) and the National Security Agency (NSA) zero trust team developed a Zero Trust Reference Architecture (ZT RA) to assist stakeholders in operationally contextualizing and understanding the principles and rules when implementing the zero trust architecture for their products and processes.
The DoD plans to roll out a pilot project using commercial cloud environments used by the Army and Air Force and “document it heavily.”
The Pentagon has already rolled out a small pilot using its IT infrastructure, although the concepts outlined in the zero trust architecture document have not undergone testing.
“The latest zero trust strategy from the Defense Department is an important step in ensuring investment is made to accelerate the adoption of zero trust. It’s encouraging to see that deadlines to submit execution plans and for completion have been set, as without these there is often a lack of urgency to act,” said Steve Judd, Solutions Architect at Venafi. “The move towards a “never trust always verify” mindset is also very positive as an essential element of zero trust is identity. Every actor on the network – whether inside or outside the perimeter – must be authenticated and authorized with a valid identity.”