The director of the Defense Department’s (DoD) Zero Trust Portfolio Management Office said today that the Pentagon is already working on the next iteration of its Zero Trust Strategy that was released in November of 2022, with a focus on making zero trust work in challenging environments.
Randy Resnick – the lead on DoD’s plan to fully implement zero trust security by fiscal year 2027 – did not give a specific timeline for the next version of the strategy but said it will include addendums, including how to implement zero trust security in low bandwidth environments.
“We’re going to be working on probably a version 1.5 of the zero trust implementation plan,” Resnick said during a Billington Cybersecurity event on Jan. 19.
“There still is a great debate on whether or not you could do zero trust in a disconnected or very low bandwidth environment,” he continued, “When you look at the strategy and the implementation plan, it’s really written in an almost perfect world where it’s an enterprise level environment.”
“We’re talking about places that are air conditioned and we assume high bandwidth,” Resnick said. “This is a key question for the services, and they were absolutely right, and we did not address it.”
He said the next version of the strategy will have an “addendum” that his team will tack onto the existing document.
“We’ll call it 1.5 – or if need be, we’ll call it 2.0,” Resnick said. “But the next iteration will include both the tactical environment zero trust requirements, as well as what we have right now, plus any changes.”
DoD’s zero trust strategy was a long-anticipated roadmap outlining how the agency plans to fully implement a department-wide zero trust cybersecurity framework over a period of five years.
When his team sat down in February of 2022 to begin creating the strategy, Resnick said nothing existed publicly on how to build out a zero trust-based network. The department plans to continue to publicize unclassified documents to help other agencies on their own zero trust security journeys.
Resnick also mentioned that DoD will be “publishing a NIST 800-53 ZT overlay” that it hopes will become an eventual standard. This unclassified document will help DoD personnel understand what security controls are required for zero trust.
“We’re going to be continuing publication of documentation to further enhance the ability of the DoD to move and accelerate zero trust,” Resnick said.
He also said DoD will publish a document on zero trust and in the context of 5G wireless services this year, and hopes that these documents, among others, will be used widely among allies in the cybersecurity world who are working to implement zero trust security.
“There’s a lot that’s going to continue,” Resnick said. “We think that we’re doing a service that goes outside and beyond the DoD.”