Cyber

Army at the ‘crawl phase’ in journey to zero trust

"I'd say we're still at the crawl phase, which is what can we even implement to actually properly identify the [Army's disparate sources of] data," a top Army cyber official said.

By Billy Mitchell

April 12, 2023

Colten O'Malley speaks at a CyberScoop event in 2022. (CyberScoop)

As the U.S. military services work to stand up a zero-trust architecture by 2027, the Army is currently only in the “crawl phase” on the journey to implement the modern security model across its enterprise, a top Army cybersecurity official said Tuesday.

“I’d say we’re still at the crawl phase, which is what can we even implement to actually properly identify the [Army’s disparate sources of] data,” Colten O’Malley, deputy commander and CISO for the Army Command and Control Support Agency, said during a panel at the CrowdStrike Government Summit.

Zero trust relies on the active visibility and monitoring of networks, data and users to secure information from intruders who may have already breached a system. To get there, organizations need a complete picture of what their IT environment looks like.

O’Malley described the Army’s IT enterprise — like many across the federal government — as a disparate and ad-hoc ecosystem of legacy systems that makes it difficult to keep track of data.

“It’s dispersed everywhere. We’ve got a little system that meets that need, a little system that meets that need … And none of these database architectures, none of these systems, were built with any sort of open architecture, right? So what you have is like a ‘bajillion’ different places that you need data from,” he said.

“The part that we struggle with most is: Do we even really know what kind of data we’re issuing? Because we have so much of it, and it’s dispersed,” O’Malley said.

The Army conducted a proof of concept that helped to inform what metrics it should be measuring on the journey to zero trust — things like end-user devices, including both Army-issued devices and non-Army devices used in “bring your own device” and remote work models, and the effectiveness of central policy enforcement.

While the Army would like to get to a point where its zero-trust model is mature enough to measure those things, “the key metric we’re looking at right now is really just deployment,” O’Malley said.

“So we’re not really even in a mature enough state to say: ‘Oh, yeah, we can actively see adversaries doing things by using this telemetry,'” he said. “We’re more in the state now of how do we identify and employ capabilities that can actually meet this need at scale?”

The Department of Defense has set an ambitious timeline for the U.S. military services and other field activities to implement zero trust by 2027, it announced last August.

The Army announced in October that it was in the process of standing up a program office dedicated to the adoption of zero trust.