WASHINGTON — After months of teasing its zero-trust strategy, the Defense Department today released its plan outlining what it’ll take to achieve “targeted zero trust” by fiscal 2027 to address current threats, including those posed by adversaries like China — starting with a zero-trust cloud pilot this fiscal year.
“With zero trust we are assuming that a network is already compromised and through recurring user authentication and authentic authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited,” Randy Resnick, DoD zero trust portfolio management office chief, told reporters ahead of the strategy’s release.
The 29-page strategy paints a concerning picture for DoD’s information enterprise, which is “under wide-scale and persistent attack from known and unknown malicious actors,” from individuals to state-sponsored adversaries, specifically China, who “often” breach the Pentagon’s “defensive perimeter.”
“The Department must act now,” the strategy document says.
The strategy is broken down into types of zero-trust goals: “targeted” zero trust, which is a required minimal set of activities DoD and its components need to achieve by FY27, and “advanced” zero trust, which provides the highest level of protection. A total of 152 “activities” are defined in the strategy — 91 activities to get to the targeted zero trust level and 61 advanced level activities.
“So we defined target as that level of ability where we’re actually containing, slowing down or stopping the adversary from exploiting our networks,” Resnick said. “So compared to today, where an adversary could do an attack and then go laterally through the network frequently under the noise floor of detection, with zero trust, that’s not going to be possible.”
While the strategy doesn’t point to specific technologies or solutions, it provides a roadmap of what capabilities DoD must implement to achieve the targeted and advanced levels. DoD components are also instructed to develop their own action plans to achieve target level outcomes by FY27 and ensure that their strategies align with “applicable Enterprise-level strategies,” according to the strategy.
“Reaching an advanced state does not mean an end to maturing zero trust,” Resnick said. “Rather, protection of attack surfaces needs to continue to adapt and refine as the adversary attack approaches and vectors mutate over time. The strategy also allows us to begin monitoring progress toward zero trust. It enables the components to define how… they implement zero trust and within the parameters of courses of action that we’ve provided in this strategy.”
In January, DoD established a zero trust portfolio management office within the Chief Information Officer’s office to accelerate zero trust adoption. Likewise, the Army CIO said in October the service will establish its own zero trust office. Resnick told reporters that DoD is encouraging other military services and agencies to also stand up similar offices.
The strategy also highlights the need for collaboration with industry partners, and the document aims to show industry where DoD is moving with its cybersecurity architecture and framework, Resnick added.
Eric Noonan, CEO of CyberSheath and former BAE Systems CISO, said the strategy lays out a bold direction for DoD and the federal government.
“Naysayers will argue that the strategy is five years or more too late, and although they might be correct, the bigger takeaway is that the DoD has found religion on cybersecurity and they are addressing it architecturally, aiming for a lasting and measurable effect,” Noonan said in a statement to Breaking Defense. “It is a swing-for-the-fences approach underpinned by some of the best thinking available and grounded in the reality that ‘one size fits’ all ensures failure.
“The DoD strategy builds in the flexibility necessary for success across such an enormous estate but sets the direction in a way that enables the DoD to be confident about any weak links in the chain,” he continued.
Imran Umar, senior cyber solution architect at Booz Allen Hamilton, told Breaking Defense in a statement that the strategy is an important milestone for two key reasons: It’ll help organizations define zero trust and the “level of details provided in the breakdown of capabilities and activities provide clarity where it previously did not exist.”
“Looking ahead, DoD has an ambitious goal of implementing a zero trust architecture across the department by 2027 to secure and protect sensitive data, assets, applications, and services from evolving threats,” Umar said. Both Booz Allen Hamilton and CyberSheath are involved in cybersecurity work related to the DoD.
Zero Trust Cloud Pilot
The strategy defines three courses of action for the Pentagon to ultimately reach its envisioned zero trust goals: establishing a zero trust “baseline,” relying on commercial providers to develop zero-trust compliant cloud environments and utilizing government-owned private cloud. Under the second course of action, DoD is planning on conducting a zero trust cloud pilot “this year,” likely referring to the current 2023 fiscal year.
“This year we’re going to be piloting zero trust in the clouds and it’s uncertain whether or not it actually will pan out,” Resnick said. “On paper, it looks great. From a technical review point of view it’s achievable, according to the cloud vendor and our own analysis. But what really needs to happen and what will be happening is we’re going to be piloting it in an operational environment and then we’re going to have red teams go after it and do real attacks.
“And that’s essentially proof of the pudding to see whether or not we could actually get the effects of zero trust that we want to get out of those clouds, implementing new [zero trust] overlays,” he said.