How Software Factories Helped Pave the Way to Zero Trust

Software factories helped pave the way for the Department of the Air Force’s new zero trust implementation roadmap, a quarter-by-quarter plan with a head start on the Pentagon’s recently released five-year zero trust strategy.

The new roadmap, released Feb. 17, builds upon the service’s zero trust strategy and identity, credential and access management (ICAM) roadmap released the same day.

“The Department of the Air Force, I believe, was the first in the DOD to publish a zero trust strategy and an ICAM strategy, so we’ve been working on our zero trust journey for a little while,” Air Force CIO Lauren Knausenberger said in a recent GovCast interview. “We have some pretty good pilots in place and have worked from the beginning with sharing that knowledge and sharing that advocacy across the DOD, and so we participated in [producing] the DOD zero trust strategy.”

Similar to the DOD’s five-year strategy, the Air Force’s zero trust roadmap spearheads the zero trust approach with multiple lines of effort: applications, networks, devices, users and data.

Conducting application inventory and integrating those into ICAM, secure access server edge (SASE) and software-defined perimeter (SDP) solutions will be the first big hurdle, Air Force CTO Jay Bonci told GovCIO Media & Research in an interview.

“We know that this is a long pole in the tent, but is the major early value in our zero trust architectural efforts,” he said. “We have a lot of experience with this value stream in Cloud One, but those are applications that know they need to be modernized and refactored to move to cloud. Elements on premise that are in the ‘retain’ cloud category are going to be challenging and we don’t have our hands around that just yet.”

Cyber leaders across industry, defense and civilian agencies share Bonci’s perspective: knowing what is connected to your network and why, whether it be users, devices or applications, is critical for good cybersecurity.

“If you don’t know how to structure your protection mechanisms, if you don’t know how to structure the information you want to exchange, you’re not going to have an idea how to budget design or protection,” said Jay Gazlay, associate director for vulnerability management at the Cybersecurity and Infrastructure Security Agency (CISA), during a GovCIO Media & Research zero trust event in September 2022.

Software Factories Leading the Way

The Air Force’s head start on zero trust is partly attributable to the cultural and technical agility cultivated over the last several years.

“Roadmapping allows us to create a granularity floor to talk about and show progress across these very complicated topics. It also enables for teams who are working on one slice of the picture — say, end-user devices — to know where those efforts need to link up with other parts, such as the universe of policy enforcement points,” Bonci said. “This has been in motion for many years now and our efforts stand on the shoulders of some of the early pioneers in the department who got these dominos moving. The roadmap documents those efforts and unifies them into a place where we can start to spot dependency and priority problems on a macro level, and we have hooked in most of our IT delivery teams into the creation and updating of these roadmaps.”

Software factories, in particular, helped transform the department into an organization primed to adopt a zero trust approach through DevSecOps principles, which will be important for securing the Advanced Battle Management System (ABMS), the Air Force’s contribution to DOD’s Joint All-Domain Command-and-Control (JADC2) initiative.

“Software factories are great for many reasons — for one, they allow us to move and prototype things very quickly,” Bonci said. “Many of the early zero trust component implementations came out of Cloud One and Platform One. They have also been eager to help us get our hands around some particularly snarly problems. Deployable ICAM is one such problem set, and having cultural and technical agility in the factories in our consumers is going to be key to getting this right for ABMS. Based on that agility and a defined product market fit, the enterprise can do what it does best, which is scale this out to the entire Air Force in a cost-efficient manner. It has been a great partnership with those programs and platforms and we want to be doing more of that kind of rapid learning in the future.”

In the Pentagon’s five-year zero trust strategy, DOD CIO John Sherman said creating a zero trust culture is a No. 1 priority.

“This urgency means that our colleagues, our warfighters, and every member of DOD must adopt a zero trust mindset, regardless of whether they work in technology or cybersecurity or the human resource departments,” Sherman wrote in a foreword to the strategy. “This ‘never trust, always verify’ mindset requires us to take responsibility for the security of our devices, applications, assets and services; users are granted access to only the data they need and when needed.”

In order to attain the cultural sweet spot of understanding zero trust and its importance for maintaining effective cybersecurity in future fights, other service branches and DOD components should embrace technical agility, Bonci said.

“We are in a place in cyber history where risk of inaction has well overtopped the risk of action, and we as leaders must create places where we can experiment, make mistakes and re-vector as we learn,” Bonci said. “We have to do this with empathy and understanding that this topic is complex and that education and strategic messaging are key.”

Department of the Navy CIO Aaron Weis described a similar concept at the AFCEA West naval conference hosted by AFCEA International and the U.S. Naval Institute in San Diego this week: service branches should consider cybersecurity as a problem of “readiness.”

DISA successfully completed its Thunderdome zero trust prototype pilot at the end of January and was issued a full authorization to operate, DISA’s Thunderdome Chief Engineer Julian Breyer told attendees at AFCEA West. Notable about the pilot is its potential to evolve and adapt along the way as it collaborates across other defense components working on zero trust implementation.

“The Thunderdome prototype … isn’t supposed to be the end-all-be-all for us,” Breyer said. “The adoption is really the hard part. Fielding a new capability on a network and getting it approved to operate is certainly not an easy feat within the DOD environment, but then to take a step back and to work out processes to encourage our user base to think through what level of conditional access is appropriate for a specific application.”

With Thunderdome, Breyer said DISA has onboarded around 1,500 users at three different DISA sites and is working on a conditional remote access pilot with the Army. It’s expected to conduct red team testing around April and begin SASE migration in May, he said.

“We’re still engaged in ongoing dialogue with the services, many of whom are trying out different technologies than the ones that we’ve chosen,” Breyer said. “There’s a pretty great exchange between the different services and the different [zero trust] teams to talk about what their solutions do maybe better than ours and what our solution does better than them.”

Angel Phaneuf, CISO at Army Software Factory, emphasized empathy and compassion when teaching team members to “think” with a zero trust mindset during a recent GovFocus interview with GovCIO Media & Research.

“Taking the time to talk with humans and say, hey, the human element of this is we want to keep you safe, it’s not that you did anything wrong by scaling back this access,” she said, referencing how ICAM solutions, a pillar of zero trust, can be more restrictive about users’ access to data.

In a recent CyberCast interview with GovCIO Media & Research, Coast Guard Deputy CIO Brian Campo said he plans to launch the Coast Guard’s first software factory later this year to replicate the success of Air Force software factories improving cybersecurity.

“In a lot of ways the software factories absolutely represent the future of the Air Force in that they’re using Agile processes, they’re using modern tools, they are incredibly adaptable,” Knausenberger told GovCIO Media & Research.

APIs and SBOMs for JADC2

The Air Force’s new zero trust roadmap also highlights application programming interfaces (APIs) and developing software bills of materials (SBOMs) as key cybersecurity priorities for fiscal year 2023.

According to the roadmap, the Air Force plans to publish an enterprise SBOM strategy in fourth quarter 2023. This plan also circles back to the leadership of software factories: both the Air Force BESPIN Software Factory and Army Software Factory consider SBOMs their bread and butter for good cybersecurity, according to interviews with GovCIO Media & Research.

APIs are especially important for JADC2. As with the cultural element, Air Force software factories and DevSecOps principles set the example for securing APIs within a zero trust framework.

“We need to think about how we consume APIs from cloud services and commercial software, and what best practices look like for APIs that we produce,” Bonci said. “API-sharing is a key foundation to JADC2 and information-sharing with partners and allies broadly. We’ll need to define the right enterprise services which make it easy for developers to produce scalable, easily-secured and stylistically similar APIs. This includes credential lifecycles and other technical, policy and business considerations. Many of the early implementations are embodied in our DevSecOps environments like Platform One, but we will need to extend that beyond those ecosystems.”

APIs also go hand-in-hand with optimal user experience while maintaining security.

“The ability to have a good user experience also lies within endpoint security, and so I believe that interoperability is key to that, and API-enabled capabilities are key,” said DISA Senior Cyber Strategist Gillian Busick at the AFCEA West conference.

“If the DOD365 delivers some of our capabilities, and we’re delivering some of them in Thunderdome, and DoDNet delivers some of them for the Fourth Estate users’ desktop experience, all of that needs to be patched together, and so open API support is vital for that,” added Breyer at the conference.