Pending cloud pilot could get DOD to zero trust in a year rather than five

If an impending zero-trust pilot effort goes well, it could completely alter the Department of Defense’s timeline for implementing the cybersecurity architecture, according to a senior official.

Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information. The DOD’s strategy aims to get the department to such an architecture by 2027.

Under the plan, there are two levels of zero trust: a target level and advanced level. The target level is the minimum set of capability outcomes to secure and protect data and requires the delivery of 91 activities. The advanced level requires a total of 152 activities.

The Pentagon recently approached the four vendors awarded under the Joint Warfighting Cloud Capability (JWCC) contract to test if achieving zero trust to the “target level” in the cloud is possible.

“We could do zero trust in the cloud on any one, two, three or all four. This would automatically speed up adoption of zero trust in the DOD,” Randy Resnick, director of the Zero Trust Portfolio Management Office, said at the Zero Trust Summit hosted by CyberScoop on Thursday. “The five-year plan could potentially become one year. You could spin up a cloud in days.”

While other factors still must be met, such as moving users and applications, Resnick said the foundational zero-trust pieces will be there almost immediately.

“This is an accelerator for us and so we’re eager to see whether or not we could do this. We’ll test it in the field and produce final report,” he said. “I’m hoping that by the end of the calendar year, certainly maybe by the end of the fiscal year, we’ll have real data that could tell us whether or not we could do different clouds.”

Resnick also wants to see more and faster acceleration to the cloud because it offers better security.

“From a centralized location, you could do patching and updating, everybody gets the same thing. We would like to see that acceleration to the cloud, especially with zero trust,” he said.

When it comes to other aspects of getting to zero trust, Resnick said there are challenges associated with identity, credentialing and access management (ICAM).

“There are challenges in the ICAM world if you want to go beyond target into the advanced areas of zero trust. You will find if you study the documents, we require more from the ICAM system that exists today,” he explained. “This is acknowledged and understood today. We have programs and projects going on right now, fully funded with DISA and NSA to improve the ICAM systems in the DOD.”

When Resnick’s office was first established, part of its mission was to provide foundational documents for zero trust given nothing existed to date.

Now, he’s challenged his team to figure out what the National Institute of Standards and Technology 800-53 controls for risk management should be for zero trust, because that had not been done before.

Resnick’s team has been working on this task since October and is close to finishing its draft.

“I believe we’re going to have something to potentially share in the summertime, but it still requires a lot of coordination and approval processes through DOD and elsewhere,” he said. “But we will eventually this year present our interpretation of 800-53 in terms of zero trust, for public commentary.”