WASHINGTON — The Pentagon’s upcoming new zero trust strategy will outline dozens of capabilities needed to bring the Defense Department to what it’s calling “targeted” zero trust, a departure from its previous framework, a defense official said today.
The strategy, which could come out sometime this month, outlines 90 capabilities “at the targeted zero trust level, which are clearly defined,” David McKeown, deputy chief information officer for cybersecurity, said at the Billington Cybersecurity Summit. “We have a definition of what it takes to check the box and fulfill that particular capability. Those 90 capabilities are going to get us to what we’re calling targeted zero trust.”
An additional 62 capabilities that will get the Pentagon to a “more advanced zero trust” that could be used on national security systems or systems that are “very, very important” are also defined in the strategy, he added.
Zero trust — a framework the Pentagon has increasingly been focusing on — assumes a network is always at risk of being exposed to threats and requires all users to be authenticated and authorized. On Jan. 19 this year, the Biden administration issued a memorandum on improving the cybersecurity of DoD, intelligence community and national security systems, setting forth specific guidelines for agencies to adopt zero trust architecture implementation plans.
In a following memorandum dated Jan. 26, the White House’s Office of Management set forth a federal zero trust architecture strategy that called for agencies to meet specific cybersecurity standards by the end of fiscal 2024.
“A key tenet of a zero trust architecture is that no network is implicitly considered trusted — a principle that may be at odds with some agencies’ current approach to securing networks and associated systems,” according to the memorandum. “All traffic must be encrypted and authenticated as soon as practicable.”
The upcoming strategy from DoD is different from the Pentagon’s previous zero trust framework, which McKeown said defined seven “pillars” and how they would evolve levels of maturity.
John Sherman, the Defense Department’s chief information officer, said in August that the strategy will define DoD’s approach to zero trust between the “main controls” to the most sensitive systems.
Sherman added that one of his goals is to implement zero trust architecture across the majority of DoD enterprise systems in the next five years, saying the “adversary capability we’re facing leaves us no choice but to move at that level of pace.”
During his comments today, McKeown reiterated Sherman’s remarks and said DoD is creating an implementation plan for each of the military services and DoD agencies
The plan includes three methods to get after DoD’s targeted zero trust goals, including uplifting each service and agency’s current environment to satisfy the 90 capabilities and implementing a zero trust cloud on-premises that meets the highest level of zero trust
“And then we’ve been partnering with a lot of cloud providers to have them examine their current FedRAMP cloud offerings and many of them are very far along,” McKeown said. “A couple are at the 90% level for meeting those targeted zero trust capabilities. So we’re really excited about that, that we have those three offerings. The fact that we’re pointing to the cloud continues our strategy overall in the department to increase our cloud utilization and it also furthers the federal government’s goal of increasing cloud utilization.”
Air Force Chief Information Officer Lauren Knausenberger said on Aug. 29 that zero trust is the framework that will allow the service to simplify its war fighting environment.
“If we can get to the point where we know who you are, that we have our data tagged, that we can get to multi-level security, that we can maybe not have folks like the USAF commander have 22 different networks in five different machines on their desk, [then] we can fight a lot more easily,” she said during the Department of the Air Force Information Technology and Cyberpower conference.
The Air Force has already started defining its zero trust vision for the next six years in a new draft interim strategy published Aug. 26 meant to guide the service on where to spend its time and focus through fiscal 2028.
The service is aiming to implement a zero trust architecture that “protects data in a cohesive way across multiple classification levels,” according to the strategy, including the foundation identity (ICAM) elements that manage users, credentials and the access risk based on the sensitivity of the resources being protected.