The Department of Defense (DoD) today released its long-anticipated zero trust strategy and roadmap outlining how the agency plans to fully implement a department-wide zero trust cybersecurity framework by fiscal year (FY) 2027.
“What is significant about the strategy is that the strategy makes zero trust tangible and achievable while recognizing a dynamic and frankly, continuous improvement approach,” Randy Resnick, director for DoD’s Zero Trust Portfolio Management Office, said during a virtual press conference today.
DoD’s zero trust strategy and roadmap envision an information enterprise secured by a fully implemented department-wide zero trust cybersecurity “target level” framework that will reduce the attack surface, enable risk management, make data-sharing effective in partnership environments, and quickly contain and remediate adversary activities.
The roadmap – released along with the strategy – lays out a baseline approach to zero trust using the department’s current IT infrastructure and capabilities.
“With the publication of this strategy we have articulated how to get to zero trust, not only with accelerated technology adoption but also a culture of zero trust at DoD,” said David McKeown, DoD’s acting principal deputy chief information officer (CIO).
DoD CIO John Sherman first announced DoD’s intention to implement a department-wide zero trust architecture in late August. Sherman acknowledged that the plan is ambitious, but that it had to be because current and future cyber threats and attacks have driven the need for a zero trust approach that goes beyond the traditional perimeter defense approach.
To achieve that zero trust vision, DoD outlined four high-level integrated strategic goals:
Strategic Goal One: Zero Trust Cultural Adoption
A zero trust security framework and mindset guide the design, development, integration, and deployment of information technology across the DoD zero trust ecosystem. All DoD personnel are aware, understand, trained, and committed to a zero trust mindset and culture and support integration of zero trust.
Strategic Goal Two: DoD Information Systems Secured and Defended
The DoD cybersecurity practices incorporate and operationalize zero trust in new and legacy systems to achieve enterprise resilience in DoD information systems.
Strategic Goal Three: Technology Acceleration
Zero trust-based technologies deploy at a pace equal to or exceeding industry advancements to remain ahead of the changing threat environment.
Strategic Goal Four: Zero Trust Enablement
DoD’s zero trust execution is synchronized with department-level and component-level processes, policies, and funding resulting in seamless and coordinated efforts.
Pillars and Timelines
DoD’s approach includes seven pillars: users; devices; networks and environments; applications and workloads; data; visibility and analytics; and automation and orchestration. The strategy segments DoD’s expected progress across those pillars into “target” and “advanced” levels of zero trust.
“At the target level of ability, we’re containing, slowing down, or stopping the adversary from exploiting our networks,” Resnick said today. “In the majority of the DoD that’s our goal, because that’s what we’re trying to, achieve based on the legacy models that we see today.”
DoD expects the “target” level goals to be achieved by FY2027. Only specific organizations will be required to meet the “advanced” level goals on in the upcoming years, but officials do not see the need for any department-wide mandate in the future.
In addition, the strategy directs DoD organizations to pilot zero trust on legacy systems over the next year. One of the first key deadlines for DoD organizations is to log all network traffic by the fourth quarter of fiscal 2023. By the end of 2023, DoD organizations should begin deployment of zero trust into production systems, according to the strategy.
“Oftentimes in a project like this, our early metrics are just adoption metrics, showing the pace. For instance, we have 10,000 information systems that we know we’ve got to get under a zero trust umbrella. So, at a very high level, we will be tracking that implementation,” Resnick said.
Individual execution plans from DoD organizations laying out “how Zero Trust is applied across their networks, including all infrastructure and systems,” are also due to the DoD CIO’s office by Sept. 23, 2023.
CDM, Cloud Angles
Resnick also explained that DoD is prepared to facilitate industry collaboration to help implement the 45 zero trust capabilities laid out in the strategy – 20 of which are related to the Continuous Diagnostics and Mitigation (CDM) program run by the Cybersecurity and Infrastructure Security Agency (CISA).
In addition, DoD is developing future zero trust roadmaps for both commercial and private cloud, which are expected to achieve zero trust “quicker” than the five-year, baseline approach, officials said. DoD plans on piloting its zero trust approach with the four major commercial cloud providers involved in the Joint Warfighting Cloud Capability acquisition: Google, Oracle, Microsoft, and Amazon Web Services.
“We gave them advanced copies of drafts of what we’re working on,” Acting Principal Deputy CIO David McKeown said. “They were very encouraged that somebody had finally defined for them the things that they would need to hit to satisfy zero trust … We have clearly defined a north star for these vendors, and they were happy with that.”