In the coming weeks, Department of Defense components will be submitting their plans for how they will achieve “zero-trust” principles within their slices of the network in line with the Pentagon’s strategy released last year, according to the top IT official.
Last fall, DOD released its zero-trust strategy as well as its reference architecture. Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.
The strategy laid out a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data. The strategy states the DOD must get to the target level as soon as possible. Once that is achieved, the Pentagon will monitor continued compliance to get to advanced zero trust, which the document defines as the achievement of the full set of capability outcomes.
The goal is for the department to achieve the target level by 2027.
The strategy provided a roadmap for how organization can achieve zero trust, but officials have been very clear from the start that there are multiple potential pathways. As a result, there will be several different approaches.
“I’ve used the term pick your own adventure on some of this … I suspect each of the components — matter of fact, I know they are — taking a little bit different path to get there,” John Sherman, DOD chief information officer, said at the Billington Cybersecurity Summit on Thursday.
These organizations will be submitting their plans to the zero-trust portfolio management office, led by Randy Resnick, next month, according to Sherman, who described it as a “very important milestone” to start the assessment.
“Between October and the holiday period, Randy and his team are going to be reviewing what these plans look like, consistent with what we’ve laid out with the capabilities, the 91 capabilities, that gets targeted zero trust by 2027,” he said.