The Department of Defense (DoD) Chief Information Officer (CIO) John Sherman explained Wednesday how the department is working towards his goal to implement zero trust across DoD enterprise systems by 2027, including coming milestones to achieve that goal.
At the AFCEA TechNet Cyber conference in Baltimore on May 3, Sherman said the DoD already published its zero trust strategy last year, but this year the CIO is looking to achieve his goal through a “pick your own adventure” approach.
“The way we’re coming out this here is a little bit of a ‘pick your own adventure’ for the military services and components, where they kind of have three courses of action that they can mix and match,” Sherman said.
The first approach, he said, is they can overlay the 91 targeted zero trust capabilities on their current infrastructure and architecture.
The second approach is they can achieve zero trust on the Joint Warfighting Cloud Capability (JWCC) services with the four vendors – Amazon Web Services, Google Support Services, Microsoft, and Oracle. Or, option three is they can select a private cloud option.
“What we’re doing right now is getting through technical sessions … working with the military services and components about the pathway they’re going to take here, and we can really put a POAM [Plan of Action and Milestones] and a set of milestones together to get out to the 2027 goal,” Sherman said.
“What we’re working with right now, we’ve been socializing the zero trust way ahead, but here very shortly, we’re going to want to see the milestones from the services and others on that roadmap to 2027,” he added.
The CIO also took the time to thank the Defense Information Systems Agency (DISA) for its work on the Thunderdome zero trust security initiative, which is one solution that is helping the DoD to achieve its zero trust goal.
Earlier this week at the conference, DISA Director Lt. Gen Robert Skinner said his agency is currently working through its acquisition strategy to launch Thunderdome into full production within the next 30 to 60 days.
“Zero trust is not going to be unobtainium in the department,” Sherman said. “We’re going to make this happen by 2027 from all of our networks and again, preventing lateral movement through microsegmentation, fine-grained access endpoint management in a way we’ve not done, and assuming an adversary is already on our network and then proceeding apace.”
“We cannot fail on this, and this is going to be and remains one of my top priorities as chief information officer,” he concluded.