Air Force releases strategy for zero-trust implementation

As the entire Pentagon moves to adopt zero trust by the end of fiscal 2027, the Department of the Air Force has outlined its plans to implement the cybersecurity framework by leveraging cloud-based and identity, credential, and access management (ICAM) solutions.

DAF Chief Information Officer Venice Goodwine released the department’s Zero Trust Strategy this week, in which she lays out seven strategic goals and accompanying objectives that will allow the Air and Space Forces to operate using a zero-trust concept in the future. The DAF intends to move beyond baseline maturity for zero trust and work to reach intermediate maturity by the end of fiscal 2028, according to the document.

Each of the strategic goals and objectives are directly aligned with the Defense Department’s Zero Trust Strategy, released in 2022. The Pentagon-wide implementation plan requires organizations across the department to achieve what it calls “target levels” of zero trust no later than the end of fiscal 2027.

“Ultimately, this strategy makes the warfighting changes we need to evolve as a department possible by simplifying access for our Airmen & Guardians and imposing higher costs on our competitors and adversaries,” according to the executive summary of the new Air Force strategy. “The seven pillars capability elements, and activities, focus DAF resources to align with the DoD Zero Trust Strategy and industry leading Zero Trust models.”

Zero trust is a cybersecurity framework that assumes adversaries are already moving through IT networks, and therefore requires organizations to continuously monitor and validate users and their devices as they move through the network. The pivot towards operating under zero trust will require Pentagon components to modernize their IT infrastructures, as well as adopt new governance processes.

The DAF strategy emphasizes the importance of moving many of its systems to a cloud infrastructure. The department’s goal for baseline maturity will focus on improving security and access “through direct cloud access, software defined perimeters, dynamic access control policies, and datacenter segmentation,” the document stated.

The Air Force first plans to deploy micro-segmentation capabilities via Next Gen Gateways security stacks that will assist in transitioning off of the Joint Regional Security Stacks (JRSS) infrastructure — which will sunset by fiscal 2025. The department also intends to adopt Microsoft Defender and Comply-to-Connect capabilities to establish robust endpoint security.

To achieve zero trust beyond basic maturity, the DAF will field both an operational enterprise ICAM solution and an enterprise endpoint management, security and monitoring solution, the strategy noted. As it begins consolidating its IT networks, the department will require a basic-level data tagging, labeling and protection solution.

The document also identifies automated management via multi-factor authentication; cloud-native management; control and access; basic data protection; and more granular attribute, policy, and risk-adaptive-based access controls as other objectives for intermediate maturity.

“At advanced maturity, focus shifts to include non-IP-based systems/control systems and cyber operations integration – distributed and resilient digital assets and a command-centric cyber operations tempo,” officials wrote.

Last year, the DAF CIO’s office published an enterprise zero-trust roadmap that offers a quarterly summary of its plans to implement the new concept. The department is using the roadmap as it develops unclassified and classified implementation plans. Initially, the focus will be on operations in the Indo-Pacific, followed by other networks, tactical systems and disconnected environments in other theaters, according to the new strategy.

Along with new technologies, the strategy emphasized the importance of adapting to the culture shift required to implement zero trust, and called on leadership throughout the DAF to collaborate on the transition at an enterprise level.

“Application, data, and mission owners must be active participants in data tagging, attribute definition, and access decision requirements. These are the fundamental elements of Zero Trust that will drive success or failure,” the document stated. “Failure to implement this strategy bears significantly greater risk in connecting CJADC2 military IoT systems together, increasing the potential impacts an adversary could inflict from data exfiltration and degraded systems to critical mission failure and potential loss of life.”