DOD signs out zero trust strategy

(Getty Images)

The Department of Defense has signed out its much anticipated zero-trust strategy aimed at bolstering its cybersecurity.

It was signed last Thursday by Chief Information Officer John Sherman, and officials expect it could be publicly released in a week or two once the classification review is completed, Randy Resnick, director of the zero trust portfolio management, said Wednesday at the FCW CDM Summit.

Officials have previously announced a self-imposed deadline for the DOD to achieve a zero trust architecture — a set of principles that essentially assumes networks are already compromised and requires organizations to validate users, devices and data continuously — in five years.

“We placed a five-year deadline upon the Department of Defense in order to reach a certain level — a level that we believe we’re going to slow down and contain the adversary. And that level is called the ‘target level,’” Resnick said. “In the DOD, we found that necessary to define our outcomes in terms of a target level necessary to stop an enemy from moving laterally that is either already in our network, or an enemy from penetrating perimeter boundaries that we have in place today or might establish in the future.”

He added that officials have identified 152 total activities in zero trust. Ninety-one are needed to achieve the target level and 61 at the advanced level. More details are expected once the strategy is released.  

DOD has articulated a seven pillar model for zero trust: user, devices, applications and workloads, data, network in the environment, visibility and analytics, and automation and orchestration.

“DOD recognizes the seven pillar model, primarily because we assess that each pillar is of equal cybersecurity importance and must be viewed as such. Not treating them as equal will result in potentially not giving appropriate attention and resources to the remaining pillars; that can possibly generate weaknesses in your ZT solution and to potentially allow the adversary to slip through,” Resnick said.

“We’ve had many experiences in DOD where we wrongly implement cybersecurity tools and techniques and controls, and we did less so in other areas of the network — and the adversary is going to always find the place where you’re at your weakest point. That’s why when we thought through the strategy for cybersecurity, we deemed and said, ‘We’re going to treat all pillars equally as important.’”

Zero trust is also a cross-cutting concept not bound by simply IT, Resnick noted. It is a challenge across what DOD refers to as DOTMPF-P: doctrine, organization, training, materiel, leadership and education, personnel, facilities and policy.

“It really challenges the Department of Defense and anybody going to ZT that it really is a fundamental shift in the culture itself,” Resnick said.

Since zero trust is not a single entity, but rather, a set of principles, Resnick said there will not be a one-size-fits-all solution. As such, DOD is developing complementary courses of action it can execute for completing zero trust architectures.

The first course of action is to modernize zero trust infrastructure on top of the existing IT. The second is commercial cloud.

DOD has asked cloud venders if they can implement zero trust in their clouds and they’ve essentially said they can, according to Resnick. Now, DOD is lining up pilot activities with these cloud vendors, which were the companies chosen to compete for the DOD’s enterprise cloud solution known as the Joint Warfighting Cloud Capability (JWCC). They include Amazon, Microsoft, Oracle and Google.

Additionally, DOD will be working with coalition and other partners on zero trust. They have expressed significant interest, he noted.