The Army is creating a zero-trust program office

A network engineer at U.S. Army Joint Modernization Command, works on creating the Project Convergence Mission Partner Environment during a Risk Reduction Event in February at JMC on Fort Bliss, Texas. (Photo by Jonathan Koester)

The Army is creating a zero-trust program office aimed at gaining better insight over the various efforts under the umbrella of the security architecture with the hopes of prioritizing better investment in associated technologies.

“The big announcement here today is [the Army is going to] really align all of these efforts under a single command and control and to make sure we have good alignment of these programs, because the zero-trust reference architecture is hard. There’s 90 different capabilities in there. But if we cannot map to that reference architecture and we don’t know how all these pieces fit together, then we don’t really know whether we accomplish that mission or not,” Raj Iyer, the Army’s chief information officer, told reporters Tuesday at the annual Association of the United States Army conference in Washington. “Getting under a single program office is the way to do it.”

That organization will not be an acquisition office, however, but more of an operational office sitting within Army Cyber Command, its commander said.

“First, we’re going to see all of our efforts. We’ve seen them to a certain extent under the unified network portfolio, but we’re going to bring it into sharper focus by having somebody dedicated to this,” Lt. Gen. Maria Barrett said Wednesday during an event hosted by Defense News at the AUSA conference. “From there, I think, we will better understand where the prioritization for investment is and not over-invest in one part of the framework versus another. I think that will be very helpful.”

Barrett and other Army leaders noted that zero trust isn’t a single thing, but really a set of principles. It essentially assumes networks are already compromised and requires organizations to validate users, devices and data continuously.

“It’s operationalizing a concept,” Lt. Gen. John Morrison, Army deputy chief of staff, G6, said regarding the new office housed under Army Cyber Command. Zero trust has “got to be synchronized in time and space and then implemented.”

Iyer added that the Army is going to be taking a sharper focus on cybersecurity in the next year or so. As the branch looks to take more advantage of commercial systems, from the enterprise to the tactical level, zero trust principles are a critical way it will be able to ensure these systems are secure.

“An area that we’re really focusing on this year is cybersecurity and that’s why this integrated program offers that we’re establishing with zero trust really is, again, one of those pieces that we felt like we were not doing well,” he said. This requires “us to take a very deliberate approach to putting together a reference architecture, aligning all the programs and the money and everything together, because again, some of them are programs for record, multiple [program executive offices].”

Currently, there’s a variety of efforts and programs under several PEOs, but the hope is the new office will get a better handle on where things are.  

“You tell me you’re going to give me widget X, widget X costs me $10 million to deploy across the enterprise, is going to give me $10 million worth of extra security. I got some other parts of the framework that we really do need to invest in that really would significantly improve my situation awareness ability to react to events and really support the type of network that we anticipate operating in,” Barrett said. “That’s really what this is.”

Service officials have also said realizing a true zero-trust architecture will be key for achieving the Pentagon’s new data-driven way of war, Joint All-Domain Command and Control (JADC2).

“The big one that we’re really tackling with every single day is the zero trust part of it,” said Maj. Gen. Jeth Rey, director of the Army’s network cross-functional team. “We’re looking at those, identity management and credentials and attribute-based access control and how we tag the data, get to the data … Zero trust part of it is really the key piece we have to get after. The user to the device, the device to the application … if we can achieve that in JADC2, we’re going to be moving even faster to get to our goal, no doubt.”

The Army’s push to coordinate its zero-trust efforts coincides with a larger one from the Pentagon and the Defense Department CIO to move to a zero-trust architecture within the next five years, largely enabled by advancements in the cloud.