The Defense Department's new zero trust strategy, part of a family of strategies living under the National Defense Strategy (NDS), establishes its zero trust vision to improve security, user experience and overall mission performance while achieving information dominance.
The strategy will be critical to implementing DOD's Joint All Domain Command-and-Control (JADC2) plan, which aims to connect the joint forces through secure, seamless communication for improved response times in theater.
The long-anticipated strategy provides guidance for advancing the zero trust concept, which includes gap analysis, requirements, development and investment in zero trust capabilities that will have the significant cybersecurity impact necessary within the department to protect against malicious actors.
“We’re taking an aggressive stance. Our funding is in alignment with this — that we want to be at targeted zero trust for the Department by the end of fiscal year 2027,” David McKeown, DOD deputy CIO for cybersecurity, said at the Billington Cybersecurity Summit in September. “It is very comprehensive. It’s our North Star.”
The zero trust strategy is nested under the department's Digital Modernization Strategy and aligns with President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity from 2021, the Federal Zero Trust Architecture Strategy the Office of Management and Budget (OMB) released in January, the National Defense Authorization Act for Fiscal Year 2022 and other Executive-level memorandums that guide the department toward implementing zero trust architecture across the board.
The DOD Office of the Chief Information Officer (OCIO) also established a Zero Trust Portfolio Management Office (PfMO) in January, which is responsible for coordinating DOD-wide zero trust execution.
“Defending DOD networks with high-powered and ever-more sophisticated perimeter defenses is no longer sufficient for achieving cyber resiliency and securing our information enterprise that spans geographic borders, interfaces with external partners and support to millions of authorized users, many of which now require access to DOD networks outside traditional boundaries, such as work from home,” DOD CIO John Sherman wrote in a foreword to the new strategy.
Four Strategic Goals
The strategy sets four goals to achieve DOD's vision for zero trust.
1. Zero trust cultural adaptation, where all DOD employees understand, are trained and committed to a zero trust mindset and culture.
“This urgency means that our colleagues, our warfighters, and every member of DOD must adopt a zero trust mindset, regardless of whether they work in technology or cybersecurity or the human resource departments,” Sherman wrote. “This 'never trust, always verify' mindset requires us to take responsibility for the security of our devices, applications, assets and services; users are granted access to only the data they need and when needed.”
2. DOD information systems are secured and defended, where a zero trust framework is applied to all new and legacy information systems.
To accomplish the “information systems secured and defended” goal, DOD and its components need to achieve 45 capabilities organized around seven pillars, including user, device, application and workload, data, network and environment, automation and orchestration, and visibility and analytics. DOD aims to publish the component-level execution plan by September 2023, which will guide how zero trust should be applied across its networks. Components must achieve target-level outcomes of zero trust capabilities by the end of fiscal year 2027.
3. Technology acceleration, where zero trust-based technologies are deployed at a pace exceeding industry advancements and stay ahead of the ever-changing threat environment.
4. Zero trust enablement, where the zero trust framework is “cemented” across the DOD information enterprise (IE), which will require processes, policies and funding.
“This goal identifies the 'tail' to the [zero trust] 'tooth,' the latter being unable to achieve its mission without the former, and requires the whole of the [zero trust] ecosystem’s attention and effort and cannot be addressed 'at a later time,'” according to the strategy.
The strategy breaks down zero trust into two levels of implementation: the target level and advanced level. The target level is the minimum set of zero trust activities necessary to protect and manage known threats and is planned to be achieved “as soon as possible.” The new zero trust management office will monitor and guide this progress.
As for resourcing and acquisition, the strategy does not mandate a specific technology or solution that must be applied to achieve zero trust. As long as the components reach the target zero trust level through the described capabilities and move on to the advanced level, they can design their own solutions.
“The components are free to select their own solutions and solution architectures, as long as they deliver the specified [zero trust] capability outcomes needed to reach the target or advanced-level zero trust and are able to show that proof,” the strategy reads.
In addition, DOD released the Zero Trust Capability Execution Roadmap providing recommendations and timelines to zero trust.
DOD IT and cyber leaders have long emphasized the importance of rapidly developing new capabilities for JADC2, but over-classification and the lack of secure data exchange remain some of the main hurdles to the successful implementation of those capabilities.
Special Operations Command (SOCOM) repeatedly reported over-classification is an obstacle to meeting mission-critical needs. Air Force leaders said secure communication networking remains a hindrance to JADC2 implementation.
Air Force Chief Data and AI Officer Maj. Gen. John Olson believes zero trust is "essential" to JADC2 implementation.
"We've been talking about zero trust for a long time with Thunderdome. We need to get real implemented data- and user- level zero trust," Olson said at the National Defense Industry Association's JADC2 Symposium in July.
Programs such as the Defense Information Systems Agency's (DISA) Thunderdome zero trust prototype are designed to enable DOD employees and service members to securely access the resources they need "without having to traverse the DODIN." DISA expects the Thunderdome prototype for DOD's classified and unclassified networks (NIPRNet and SIPRNet) to be completed by January 2023, according to a recent interview with GovCIO Media & Research
While prototypes like these won't solve all the problems when moving toward JADC2 implementation, it will allow its users to access critical information securely to complete their missions.
“For JADC2, zero trust is essential. When dealing with peer competitors, we have to assume things are compromised. That particular policy or set of policies is essential to the way forward,” Stuart Whitehead, DOD Cyber and Command, Control, Communications and Computers (C4) deputy commander, said during the Potomac Officers Club event.
DOD Cloud and Armed Services
Zero trust underpins all DOD services' and components' modernization efforts as they move to a cloud environment. DOD plans to rely on commercial cloud service providers (CSPs) to help deliver zero trust solutions compatible with DOD cloud, according to the DOD Zero Trust Capability Execution Roadmap released with the zero trust strategy. Key to successful implementation will be standardization of zero trust tools across the enterprise and maintaining DOD's "target" zero trust maturity level.
The Army's updated cloud plans align with DOD's various IT modernization initiatives and rely upon a zero trust approach to cybersecurity. So far, the Army has moved about 100 applications to the could and awarded a $1 billion contract called the Enterprise Application Migration and Modernization (EAMM) to help achieve those long-term goals. A zero trust approach to security is one of the primary pillars facilitating the many cloud projects in the Army's pipeline.
"Globally, we've been fielding systems and accrediting those systems and construct the kind of a network perimeter security model, and this pivot into zero trust really changes the way not only our infrastructure is delivered, our enterprise services are delivered, but then also how our applications and services and, most importantly, our data is structured to leverage a zero trust architecture," Paul Puckett, director of the Army's Enterprise Cloud Management Agency (ECMA), told GovCIO Media & Research.
At the Navy, Principal Cyber Advisor Chris Cleary and CTO Jane Rathbun consider identity management the first step and cornerstone of a robust zero trust strategy, which they're pursuing aggressively via the department's Cybersecurity Superiority Vision released last month.