Published on November 22nd, 2022 📆 | 4027 Views ⚑
0Pentagon releases zero trust strategy to guide DoD cybersecurity priorities
The Defense Department officially unveiled a zero trust strategy and roadmap today laying out how DoD components should direct their cybersecurity investments and efforts in the coming years to reach a âtargetâ level of zero trust maturity over the next five years
The release of DoDâs zero trust strategy follows on the heels of the White House Office of Management and Budgetâs federal zero trust strategy published earlier this year. DoDâs strategy lays out a...
READ MORE
The Defense Department officially unveiled a zero trust strategy and roadmap today laying out how DoD components should direct their cybersecurity investments and efforts in the coming years to reach a âtargetâ level of zero trust maturity over the next five years
The release of DoDâs zero trust strategy follows on the heels of the White House Office of Management and Budgetâs federal zero trust strategy published earlier this year. DoDâs strategy lays out a detailed and ambitious plan for defense components to attain specific zero trust capabilities by 2027.
The aim is to counter a ârapid growthâ in offensive cyber threats by shifting away from a perimeter defense model to a ânever trust always verifyâ mindset, DoD Chief Information Officer John Sherman wrote in the foreword to the strategy.
âZero Trust is much more than an IT solution,â Sherman wrote. âZero Trust may include certain products but is not a capability or device that may be bought. The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans. Perhaps most importantly, they must also address Zero Trust requirements within their staffing, training, and professional development processes as well.â
The strategy lays out four strategic goals: zero trust culture adoption; DoD information systems secured and defended; technology acceleration; and zero trust enablement.
DoDâs approach includes 45 separate âcapabilitiesâ organized around seven âpillarsâ: users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
And it segments DoDâs expected progress across those pillars into âtargetâ and âadvancedâ levels of zero trust. Some initial target capabilities in the coming years include user inventories, federated identity credential and access management solutions, endpoint detection and response tools, and software defined networking.
DoD expects all its components to achieve the âtargetâ level goals by fiscal 2027.
âThe strategy makes zero trust tangible and achievable, while recognizing a dynamic and frankly continuous improvement approach,â Randy Resnick, director of DoDâs zero trust portfolio management office, said in a call with reporters Tuesday.
The strategy also doesnât mandate the use of specific IT solutions or zero trust products, leaving it to the military services and fourth estate agencies to determine those specifics.
âWe are not defining exact components that people have to buy, specific software or anything like that,â Acting Principal Deputy CIO David McKeown said. âWe are defining capabilities here. And weâre leaving it up to the services for how they implement those and integrate them together in order to achieve the desired zero trust level.â
DoD also released an associated âzero trust capability execution roadmapâ today laying out a baseline âcourse of actionâ to zero trust using the departmentâs current IT infrastructure and capabilities, known in IT parlance as a âbrownfieldâ approach.
âThere arenât any technical, critical path items that are unachievable for us to get to zero trust at the at the target level,â Resnick said. âItâs just a matter of leadershipâs ability to execute. We have the dollars, and every single year, were doing a review of whatâs required going into the next years in the [Future Years Defense Program] to make sure that this is well funded.â
Cloud zero trust pilots
DoD is also developing future zero trust roadmaps for both âcommercial cloudâ and âprivate cloud,â respectively. Those approaches are expected to achieve zero trust âquickerâ than the five-year, baseline approach, according to the roadmap document.
Resnick said the commercial cloud course-of-action is likely to be one of the ârisksâ in DoDâs approach. DoD will be conducting zero trust tests with commercial cloud providers over the coming year.
âOn paper, it looks great,â Resnick said. âFrom a technical review point of view, itâs achievable, according to the cloud vendor, as well as our own analysis. But what really needs to happen and what will be happening is weâre going to be piloting it in an operational environment, and then weâre going to have red teams go after it and do real attacks.â
McKeown said DoD will likely pilot its zero trust approach with the four major commercial cloud providers involved in the Joint Warfighting Cloud Capability acquisition: Google, Oracle, Microsoft and Amazon Web Services.
âWe gave them advanced copies of drafts what weâre working on,â McKeown said. âThey were very encouraged that somebody had finally defined for them the things that they would need to hit in order to satisfy zero trust. . . . We have clearly defined a north star for these vendors and they were pretty happy with that.â
Resnick said there could also be some challenges with how DoD components decide to pursue the zero trust goals using its current architecture, a commercial cloud, the private cloud, or a combination.
âThere may be challenges from an integration point of view, and then deciding which one of the COAs or combination of COAs to choose,â he said. âBut thatâs something that weâre prepared to talk about as a portfolio office with the services and the [defense agencies and field activities].â
Deadlines and pilots
Component-level execution plans laying out âhow Zero Trust is applied across their networks, including all infrastructure and systems,â are due to the DoD CIOâs office by Sept. 23, 2023.
âSystem owners are responsible for executing and enforcing the move to ZT and must understand risks associated with delaying implementation,â the strategy states. âAppropriate security controls, including potential refinements to how DoD implements the Risk Management Framework (RMF), must be designed and enforced to counter new attack vectors and emerging threats until a full rationalization of those systems can be conducted to either eliminate or modernize accordingly.â
DoD components are also being directed to pilot zero trust on three legacy systems over the course of the next year, according to the strategy. And one of the first key deadlines for DoD organizations is to log all network traffic by the fourth quarter of fiscal 2023.
By the end of 2023, DoD components should begin deployment of zero trust into production systems, according to the strategy.
Components will have to address funding for their zero trust plans through the annual budgeting process, the strategy states. âDoD CIO will work with Components to address any Component-level resourcing shortfalls, each fiscal year, within the annual Program Objective Memorandum (POM) cycle, starting with the next immediate submission. Additionally, DoD CIO will work with Components to submit requests for new funding to Congressional appropriators through the regular DoD resourcing processes.â
The zero trust portfolio management office will take metrics reported by the components and provide the DoD Cyber Council with a âcombined scorecard,â the strategy states, âto measure this strategic planâs progress and identify additional risks that need to be mitigated to advance overall ZT strategic objectives.â
The council will serve as the primary authority on both zero trust technical and strategic direction, the strategy states. It is co-led by the DoD CIO and the DoD principal cyber advisor.
âExecuting and achieving the objectives laid out in this strategy requires the coordinated efforts of the Joint Force and the entire defense ecosystem,â the strategy states. âEveryone in the department has a role to ensure the success of ZT. While protecting data is central to ZT, successfully implementing our ZT framework requires that the entire Department understands and embraces a culture of ZT.â
Â
Â
Â
Gloss