The department and its partners developed a total 45 capabilities and more than 100 activities from these capabilities
Tuesday’s Zero trust Strategy and Roadmap was released by the Defense Department. It outlines how it intends to go beyond traditional network security methods in order to reduce network attack surfaces, improve risk management, facilitate data-sharing in partnership environments, and control and remediate adversary activity over the next five years.
David McKeown, acting chief information officer of the department, stated that zero trust is a framework for moving beyond perimeter-based cybersecurity defense tools by assuming that a breach has occurred within our boundaries and responding accordingly. McKeown stated that the department spent over a year developing plans to achieve a zero-trust architecture for the fiscal year 2027.
“With the publication of this strategy, we have articulated the ‘how’ that can address clear outcomes for how to get zero trust — not only accelerated adoption of technology, as discussed but also a culture and integrated approach at both the department and component levels”
McKeown stated that it would take a lot of effort to get the Defense Department to achieve the Zero Trust Strategy and Roadmap goals.
Randy Resnick, the Zero Trust Portfolio Management Office director, will be responsible for ensuring that this work is done.
Resnick stated, “With zero trust, we assume a network has already been compromised. We will use recurring user authorization and authentication to stop an adversary from entering a network. Also, we will quickly identify them and mitigate any damage they might have done”
Resnick described the differences between security on the network today and a zero trust architecture. Security assumes that everyone is trustworthy.
He said that if we look at home security, it could be that we traditionally lock our doors and windows, and only those who have the key can get in: “With zero trust, the items of high value in the house have been identified and locked. We then place locks and guards within them. This level of security is necessary to protect against sophisticated cyber adversaries.
The Zero Trust Strategy and Roadmap sets forth four strategic goals at the highest level that are integrated and define what the department will do to attain that level of security. These are:
- Zero Trust Cultural Adoption — All DOD personnel is trained and aware of the importance of adopting a zero trust culture and mindset to promote the integration of zero trust.
- DOD Information Systems Secured and Defended — Cybersecurity policies include zero trust in legacy and new systems.
- Technology Acceleration — Technology advances are made at a rate equal to or greater than the industry.
- Zero Trust Enablement — Policies, funding, and processes at the department- and component level are synchronized using zero trust principles.
Resnick stated that the Zero Trust Strategy and Roadmap were developed in collaboration with the National Security Agency and Defense Information Systems Agency.
Resnick stated that the department and its partners developed a total 45 capabilities and more than 100 activities from these capabilities. Resnick explained that many of those activities would be used by the department and its components to achieve baseline compliance or “target-level” compliance with zero trust architecture in the five-year timeline.
He said that each capability, including the 45, is located either in what we call ‘target’ or advanced levels of zero trust: “DOD zero trust target is the minimum set of zero-trust capability outcomes and activities required to secure and protect department’s data and assets, and to manage cyber threats to the Department of Defense.”
Every agency in the department will have to adhere to the Zero Trust Strategy and Roadmap. A few agencies might need help to reach a higher level.
McKeown stated that “if you’re a national defense system, we might require the advanced level to those systems.” Advanced is not necessary for all systems. Our goal is to be ‘targeted by 2027. We want to encourage people who have greater data security needs to use this level.
Resnick stated that achieving zero trust is not equivalent to a lower level of network security.
“We defined target as that level of ability where we’re actually containing, slowing down or stopping the adversary from exploiting our networks,” he said. “Compared to today, where an adversary could do an attack and then go laterally through the network, frequently under the noise floor of detection, with zero trust that’s not going to be possible.”
Resnick stated that the department will be better able to stop adversaries attacking the DOD network by 2027 and minimize any damage if they do occur.
He stated that the target level of trust was to contain the adversary and prevent them from moving freely. This includes not only being able to see the network but also going laterally.
He said that if more compliance is required, it’s possible to adjust the requirements to meet the target level.