Randy Resnick, Director of the Zero Trust Portfolio Management Office within the Defense Department’s (DoD) CIO office, laid out the broad strokes of DoD’s zero trust security plans during a presentation on August 23 at the 930GOV event organized by Digital Government Institute.
At the heart of the zero trust plan is a focus on seven pillars – versus the five-pillar framework in the Cybersecurity and Infrastructure Security Agency’s (CISA) zero trust maturity model. Resnick said those pillars are:
- Users;
- Devices;
- Applications & Workload;
- Data;
- Network & Environment;
- Automation and orchestration; and
- Visibility & Analytics.
“How do we implement zero trust in an enterprise network? Nobody has ever answered that question,” Resnick said. “So, we had to come up on our own with zero trust capabilities and define that all seven pillars.”
“We came up with descriptions as to what exactly that is, so the user and industry partners could fully understand what we’re talking about in terms of the capabilities that we’re seeking from a zero trust implementation,” he said.
Resnick explained that each pillar features a variety of steps that have to be completed before heading on to next steps.
“You can think of these as dependencies, it’s a successor-predecessor relationship,” he said. “For example, as we go down the user pillar, in order to do 1.3 – multi factor authentication – you first have to achieve 1.1 and 1.2. Those fully have to be done” before progressing to the next point, he explained.
Included in the zero trust plan is a timeline of five years or less for the DoD enterprise to be fully operational, which means that in order to reach those goals over five million endpoints on DoD enterprise systems must be up to those standards.
