DOD will be checking agencies' budgets to track implementation of new zero-trust strategy

Dave McKeown delivers a keynote at DefenseScoop's DefenseTalks conference. (DefenseScoop)

The Pentagon publicly released its zero-trust strategy and reference architecture on Tuesday. As part of that approach, the department will be holding organizations accountable to ensure they meet the deadline for achieving a zero-trust architecture, according to senior officials.

To track how the services and other Defense Department agencies are moving towards fully implementing zero trust by 2027, DOD leaders will be asking them to show how much they’re spending to get there.

“We will hold them accountable by asking them to build a plan, which … [the Zero Trust Portfolio Management Office] will coordinate with them on the realistic nature of their plan. As a part of that capability planning guidance that we talked about earlier they have to come back to us and show us in their budgets how much they’re spending on zero trust and what they’re getting for that,” David McKeown, acting principal deputy chief information officer, told reporters Tuesday when the strategy was unveiled.

The strategy was officially signed out in October but the public version wasn’t released until the completion of a review to sanitize it of classified components.

Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

Officials have maintained the old paradigm of perimeter defense is no longer sufficient to protect against modern day threats.

“Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users,” John Sherman, DOD chief information officer, wrote in the strategy’s foreword. “Defending DOD networks with high-powered and ever-more sophisticated perimeter defenses is no longer sufficient for achieving cyber resiliency and securing our information enterprise that spans geographic borders, interfaces with external partners, and support to millions of authorized users, many of which now require access to DOD networks outside traditional boundaries, such as work from home. To meet these challenges, the DOD requires an enhanced cybersecurity framework built upon Zero Trust principles that must be adopted across the Department, enterprise-wide, as quickly as possible as described within this document.”

Randy Resnick, who leads the Zero Trust Portfolio Management Office, told reporters that senior officials will hold directors of agencies and field offices accountable for implementation over a period of time.

Organizations can do this in three ways, officials said: institute zero-trust modernization improvements on the existing network, engage in zero-trust commercial clouds, or engage in a zero-trust privately designed cloud.

“We are not prescriptive. As you read this strategy, we are not defining exact components that people have to buy [or] specific software or anything like that,” McKeown said. “We are defining capabilities here and we’re leaving it up to the services for how they implement those and integrate them together in order to achieve the desired zero-trust level … It’s been like pushing on an open door to try to get people to go to this. They see the need for it. The perimeter defenses were not working. Zero trust is the new alternative to better monitor and respond quicker to intrusions.”

The strategy provides the “how” for getting to a zero-trust architecture, he added.

The strategy defines a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data. The strategy states the DOD must get to the target level as soon as possible. Once that is achieved, the DOD will monitor continued compliance to get to advanced zero trust, which the document defines as the achievement of the full set of capability outcomes.

The DOD plans to reach the target level in the next five years, by 2027.

Resnick explained there shouldn’t be any major technical items that are unachievable to get to the target level.

“It’s just a matter of leadership’s ability to execute,” he said. “We have the dollars and every single year, we’re doing a review of what’s required going into the next years in the [future years defense program] to make sure that this is well-funded.

The strategy lists seven pillars which provide the foundation areas for the model: user, devices, applications and workloads, data, network in the environment, visibility and analytics, and automation and orchestration.

The plan also includes four high-level strategic goals for how DOD will achieve its zero-trust vision. They include zero-trust cultural adoption, DOD information systems secured and defended, technology acceleration and zero-trust enablement.

The strategy notes there will met metrics to ensure progress toward achieving a zero-trust architecture within the aforementioned goals. A scorecard will be provided to the DOD cyber council to measure the plan’s progress and identify additional risks that need to be mitigated.