The Department of Defense has issued its Zero Trust Strategy and Roadmap, which details its plan to move away from traditional network security approaches to zero trust architecture.
The list of goals—expected to be completed within the next five years—is intended to reduce network attack surfaces, allow risk management and necessary data-sharing in collaborative environments and contain and limit adversary activities, the department announced on Monday.
“With the publication of this strategy we have articulated the ‘how’ that can address clear outcomes of how to get to zero trust — and not only accelerated technology adoption, as discussed, but also a culture of zero trust at DOD and an integrated approach at the department and the component levels,” said David McKeown, acting principal deputy chief information officer and deputy CIO for cybersecurity at DOD.
David McKeown is confirmed to keynote the Cloud Security Forum hosted by ExecutiveBiz on March 22, 2023. Click here to register!
Explaining the idea behind zero trust, McKeown said that the architecture is based on the assumption that a breach has already occurred within cyber boundaries and responding to threats in an appropriate manner.
The implementation of zero trust architecture has become an increasing priority within federal organizations following a May 2021 Executive Order, which called upon federal organizations to establish this method as soon as possible.
According to McKeown, the department’s new strategy was developed over the course of a year and included the creation of the Zero Trust Portfolio Management Office, which was established earlier this year.
Randy Resnick, director of the office, will oversee much of the plan’s implementation.
“If we compare this to our home security, we could say that we traditionally lock our windows and doors and that only those with the key can gain access,” Resnick stated.
“With zero trust, we have identified the items of value within the house and we place guards and locks within each one of those items inside the house. This is the level of security that we need to counter sophisticated cyber adversaries,” he added.
The roadmap identifies four strategic goals that enumerate what the Department of Defense will do to achieve its zero trust objectives. These include zero trust cultural adoption to equip the agency’s people with a zero trust mindset; securing and defending its information systems by incorporating zero trust into new and old systems; technology acceleration; and zero trust enablement.
Resnick stated that the roadmap’s development was a multi-organizational endeavor, which included the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, the U.S. Cyber Command and the military services.
The collaborative effort resulted in the development of 45 capabilities and over 100 activities enabled by those capabilities, many of which are intended to be utilized to achieve baseline compliance with zero trust architecture.
“Each capability, the 45 capabilities, resides either within what we’re calling ‘target,’ or ‘advanced’ levels of zero trust. DOD zero trust target level is deemed to be the required minimum set of zero trust capability outcomes and activities necessary to secure and protect the department’s data, applications, assets and services, to manage risks from all cyber threats to the Department of Defense,” Resnick explained.
Every agency within the department will be required to comply with the plan’s baseline targets for zero trust implementation. Select agencies may be expected to reach more advanced standards.
“We want to encourage those who have a greater need to secure their data to adopt this advanced level,” McKeown emphasized.
Resnick stressed that the baseline standards do not represent a lower standard of security and still indicates a full adaptation of zero trust architecture methods able to identify and stop the adversary. These standards are also flexible as the plan leaves room for requirements to be added or modified.
“The target level of zero trust is going to be that ability to contain the adversary, prevent their freedom of movement from not only going laterally but being able to even see the network, to enumerate the network and to even try to exploit the network,” he added.
The plan’s implementation will better equip the department to prevent adversaries’ attacks and minimize damage by 2027, according to Resnick.
