Deputy CIO gives updates on Pentagon’s ‘aggressive’ plan for achieving zero trust by 2027
The Department of Defense is moving with a sense of urgency to meet its ambitious goal of operating on a zero trust-based cybersecurity architecture by 2027, according to a senior IT official.
Broadly, zero trust refers to a cybersecurity concept and framework that requires non-stop monitoring and constant authentication to secure critical national security information — and assumes all networks are compromised from the get-go.
“We published a reference architecture, a strategy and an implementation plan. The strategy and implementation plan do clearly define what we mean by ‘zero trust’ in the Department of Defense. We have two different layers of achieving zero trust — one is targeted, and the other is advanced. We want to achieve targeted zero trust by 2027. We are an extremely large organization with many networks, and while 2027 may not seem that aggressive, it is super aggressive for us to try to get there by that date,” DOD’s dual-hatted Deputy Chief Information Officer and Cybersecurity and Senior Information Security Officer Dave McKeown said.
During his keynote session at the Zero Trust Summit presented by CyberScoop on Thursday, McKeown provided fresh updates on all that’s currently underway for his team in this pursuit, and he discussed how they aim to soon expand the focus beyond traditional networks and move toward implementation across other types of systems as well.
“As you would probably agree, the construct of zero trust is important no matter what the network is and no matter what the platform is — medical systems, weapons systems, critical infrastructure — we want to be cognizant of that and finish towards that,” he explained.
DOD points to three methods for achieving zero trust, McKeown also noted. Those include: understanding and uplifting the current environment, leveraging cloud services, and using purpose-built on-premises solutions.
The department’s strategy for achieving zero trust for the target level by 2027 is built around 91 activities.
“What have we done since we implemented the strategy? Well, Congress wanted us and the services to brief them on our overarching plans, so we have been working on those,” McKeown said.
In November, all Defense Department agencies and military services submitted roughly 40 different cybersecurity approach plans to his team for review.
“We were very, very helpful to them. We gave them the outline of what we wanted them to see back and asked questions in the outline, so that when they delivered their plans back to us all of the things that we needed to see were there. We followed up with them once we received those outlines, and they were very good. I will tell you — the maturity of the understanding of zero trust and what we’re trying to achieve is strong within the department,” McKeown said.
There was a bit more back and forth after that and all the updates that were recommended were eventually made, and then those final plans rolled in at the end of January.
“And we’re now we’re going to create an integrated master schedule — my team is, the Zero Trust Portfolio Management Office that’s led by Randy Resnick — based on all those inputs that we came up with, with Congress, we’re gonna move from the planning phase and educating phase into the implementation phase over the next three years,” the deputy CIO noted.
Once those officials have that completely set integrated master schedule, they’ll focus on enabling appropriate zero-trust training across the department.
“We partnered with the Defense Acquisition University to develop training modules. And they go around conducting live-training events to educate people on what zero trust is. This is a huge effort to shift the whole entire department to a new paradigm for cybersecurity, so the training is totally vital,” McKeown said.
