The Defense Department (DOD) plans to publicly release the zero trust overlay for the National Institute of Standards and Technology (NIST) 800-53 by summer, which will complete the full set of documentation DOD is required to provide to help the enterprise implement zero trust architecture.
DOD already released its zero trust strategy and reference architecture to guide the military departments and Fourth Estate working towards 2027 zero trust target levels.
"Target level for us means being able to stop the adversary. There's a lot of science that goes behind how we define our activity level and our capability level," Randy Resnick, DOD Zero Trust Portfolio Management Office director, said at AFCEA International's TechNet Cyber 2023 conference in Baltimore this week. "A lot of it has to do with a lot of other information not found on classified networks that made us develop the definition the way we did."
DOD CIO John Sherman said department-wide zero trust implementation is currently one of his highest priorities. He identified three approaches the services are able to choose from to go after implementing the zero-trust framework.
"We've also laid out our strategy, kind of a pick-your-own adventure. Folks may remember those books are a little like 'Do you slay the dragon? Or do you go into the cave,'" Sherman told GovCIO Media & Research in an exclusive on-site podcast interview at TechNet Cyber 2023.
One is the Brownfield approach, where the military services can build capabilities over their existing infrastructure. Or, they can leverage the Joint Warfighting Cloud Capability (JWCC) contract and rely on commercial zero trust solutions offered by the JWCC awardees: Amazon Web Services (AWS), Google, Microsoft, and Oracle. The third route is through private cloud adoption.
Ensuring successful implementation of the zero trust framework does not just require an IT fix but also policies, training and doctrine.
Resnick's office is on its way to delivering three zero trust courses within DOD. The basic zero trust awareness course is already available for military service members and civilian employees, but DOD is "seriously" considering mandating the course.
The other two courses, meant to train senior leaders, practitioners and implementers, will be released by July.
"You have to remember that people that are going to be installing zero trust need to understand what they're working with, need to write policies and rules to do it correctly. That requires training," Resnick said.
Resnick said the journey will be long and arduous, and DOD will work component by component to implement the architecture and meet the deadlines outlined in the zero trust strategy. While funding is essential in this effort, successful implementation also means staying on schedule and ensuring interoperability between cybersecurity services and solutions for an effective zero trust model.
"We really want to see multiple vendor integrations. Not one vendor is going to solve this problem. We want to see interoperability, we also want to see API security. And lastly…applications…they need to be written to be aware of their ZTE (zero trust edge) surroundings going forward. It needs to be aware of ICAM systems, it needs to be able to take some ins and outs of rules and policies. This is what I'm talking about being ZTE-aware," Resnick said.
Scaling zero trust will require automation.
"The act of defenses will get stronger because we're going to log everything. We're going to have analytics over those logs, we're going to do automation of responses versus a human in the loop. So that piece of it is big," said David McKeown, acting principal deputy CIO and CISO at DOD.
Lt. Gen. Maria Barrett, commanding general of U.S. Army Cyber Command, emphasized the importance of automation in the cybersecurity process so as to continuously verify and identify for unusual or suspicious activity.
"We fly planes on autopilot, we land them on autopilot. This is not scary to run a network in an automated way," Barrett said.
Sherman said the zero trust approach might have prevented the recent leak of classified documents containing sensitive information about the ongoing Russia-Ukraine war.
"As you look at those seven pillars of zero trust, you have pillar number seven: visibility and analytics, other pillars automation and orchestration... Bringing all this together to prevent somebody, whether it's external or internal, from moving laterally across the network, getting to data, not the system, but the data they're not supposed to have access to, that's what zero trust is really about," Sherman said.