DOD looking to cloud vendors to accelerate zero trust and CMMC adoption

Dave McKeown delivers a keynote at DefenseScoop's DefenseTalks conference. (DefenseScoop)

Cloud service providers are being called on to support the Department of Defense’s pressing cybersecurity initiatives to implement zero trust and better secure small and medium-sized contractors in the defense industrial base under the Cybersecurity Maturity Model Certification (CMMC).

As the DOD looks to transition to a zero-trust security architecture over the next five years, the department is engaging the cloud partners awarded spots under its Joint Warfighting Cloud Capability (JWCC) multi-cloud acquisition vehicle to see if they can provide zero-trust capabilities via the cloud, Dave McKeown, the department’s chief information security officer, said Thursday at DefenseScoop’s DefenseTalks conference.

“We’re engaging with all of the vendors that are part of JWCC and having them kind of run through their service offerings and compare against our activities to see where they sit so that we could perhaps just consume zero trust in their clouds,” McKeown said.

Doing this would likely be a much easier approach for DOD organizations than trying to bolt-on zero-trust principles and tools to their own existing environments. McKeown described this as “a very difficult proposition to add in the tools, use your existing tools, make them all integrate, and develop the orchestration and automation and response that you need.”

The vendors that earned spots on the JWCC contract are Amazon Web Services, Google Cloud, Microsoft and Oracle.

For more special circumstances, the DOD is also developing a purpose-built cloud to host things on-premise when, for security reasons, it’s not possible to move things into a commercial cloud environment, he noted.

McKeown said the focus on cloud services to support zero trust will be part of a forthcoming zero-trust strategy and implementation plan his team has developed and that is “being finalized.” Under that strategy, the DOD aims to transition to this architecture by 2027, John Sherman announced last month.

“The strategy contains 152 different capabilities to achieve complete, robust zero trust,” he said. “And we also have a smaller subset of controls in there. There’s 90 of them. If you implement that, you’ll get targeted zero trust.”

Likewise, as the DOD works to secure contractors in the defense industrial base, it’s asking cloud providers to help secure some of the smaller contractors that might not have the resources themselves to meet the requirements imposed by the forthcoming shift to CMMC compliance.

Under the CMMC 2.0 rules, expected to go into effect next year, contractors that handle the department’s controlled unclassified information will have to be certified in meeting one of three tiers of cyber requirements. And some contractors worry that the costs to get to that point could run them out of business.

But McKeown said the defense industrial base cybersecurity team that was recently moved under his leadership is working to support those concerned contractors.

“We’re still hearing cries from industry small, medium-sized businesses that maybe it’s too onerous to uplift your environment,” he said. “We have a plethora of cybersecurity tools and services that we can offer to DIB partners, as well as we are again teaming with cloud providers to see what sort of secure environments they can provide that industry can just consume in order to protect DOD Information.”