Defense Security Chief Teases 5-Year Zero Trust Strategy
Key tools within the strategy include software bills of materials and data analytics.
The Pentagon will soon release a comprehensive strategy on zero trust that defines capabilities for the security framework to be implemented over the next five years, the Pentagon’s security chief said.
“We’re taking an aggressive stance. Our funding is in alignment with this — that we want to be at targeted zero trust for the department by the end of fiscal year 2027,” said Defense Department Deputy CIO for Cybersecurity David McKeown at the Billington Cybersecurity Summit in Washington, DC, Wednesday. “It is very comprehensive. It’s our north star.”
As part of the strategy coordinated with the newly pointed head of DOD’s Zero Trust Portfolio Management Office head Randy Resnick, McKeown highlighted that 90 capabilities are going to define what he called “targeted zero trust.” An additional 62 capabilities will define more “advanced zero trust” for applicability on critical national security systems.
Three methods, he added, will guide successful implementation: uplifting the current environment, implementing zero trust cloud on premises and partnering with cloud providers to examine current FedRAMP offerings.
Key tools to this effort — and also key for partnerships — will include creating software bills of materials (SBOMs) and acquiring tools to ingest that data.
“This is an area we definitely need help to reform,” McKeown said. “Both SolarWinds and Log4j are examples of software that we willingly accepted into our environment. The Log4j problem was even more difficult because we had this reliance on all software vendors. … We didn’t have a way of quickly enumerating which software had it and patch it and remove it from the network.”
“The Log4j vulnerability was a feature, not a bug,” Federal CISO Chris DeRusha said.
As agencies develop their zero trust strategies as with DOD, DeRusha said key tools in this process will complement other strategies around the customer experience and the workforce.
“We have to get better at customer experience and user experience when rolling out security solutions,” DeRusha said. “[SBOMs] are an enabling tool — not a silver bullet. … They can help get the information folks need to do better vulnerability management.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
How TMF is Helping Agencies Accelerate Tech Modernization
The program launched a new AI pilot to expedite TMF applications as agency leaders urge more to consider applying for funds.
4m read -
Energy Researchers Aim For Holistic Approach to AI Issues
A new center at the Oak Ridge National Laboratory is looking at under-researched areas of AI to better understand how to secure it.
2m read -
A Prepared Workforce is Key to Cyber Resiliency
Strong training strategies and emphasizing cyber hygiene basics enhance security practices at federal agencies.
2m read -
Coast Guard Poised for Growth in Cyber
The service’s prevention policy chief discusses his priorities for combatting cyber incidents that could have global impacts.
23m listen