With 2027 deadline looming, DOD moves into implementation phase of zero trust transformation
After months of preparation and funding, the Defense Department has begun executing on its ambitious plans to transition to a zero-trust cybersecurity framework by the end of fiscal 2027, according to multiple senior IT officials at the Pentagon.
In 2022, the Defense Department released its first strategy and a reference architecture for operating under zero trust — a cybersecurity concept that assumes networks are already compromised by adversaries, meaning the Pentagon must constantly monitor and authenticate users and their devices as they move through a network.
The strategy outlined what it considers “target levels” of zero trust, which are a minimum set of 91 capability outcomes that agencies and components at the department must meet to secure and protect networks. The Pentagon’s goal is to achieve those target levels no later than Sept. 30, 2027.
Despite the seemingly aggressive timeline for introducing an entirely new cybersecurity concept across the department, different IT officials at the Defense Department said this week that they are on track to meet the deadline.
“We’re clearly in the implementation phase,” Dave McKeown, DOD chief information security officer and deputy chief information officer for cybersecurity, said Wednesday at the Defense Acquisition University’s Zero Trust Symposium. “We’ve done a lot of planning, we’ve tried to educate the force, we’ve gotten the plans all submitted. And now, we’ve got to move into execution.”
Hit the ground running
To help streamline zero trust adoption across the enterprise, the Pentagon established a zero trust portfolio management office led by Randy Resnick. During the remainder of fiscal 2024 and into fiscal 2025, the office plans to rapidly move out on developing zero trust proof of concept pilots, with at least 15 pilots already lined up, Resnick said Tuesday during the symposium.
Getting the pilots off the ground will hopefully mitigate any apprehension about the possibility of implementing zero trust by 2027 that Pentagon components may have, he noted.
“If we start generating potential solutions that have been independently assessed, and validated to hit target, then we’re showing that this assemblage of vendors or products put together in a certain configuration can actually deliver the results that we see coming out of zero trust,” Resnick said. “And so, it would be then up to the components that decide what they want to do next.”
While the goal is to adopt zero trust across the department, officials have emphasized that there is no one-size-fits-all approach to implementation. To that end, the zero trust strategy provided a capability execution roadmap with three courses of action (COAs) that agencies and components may take.
Resnick said the 15 pilots planned by the portfolio management office will focus on COA 1, which uses a brownfield approach by adding new technology to existing IT infrastructure.
In the future, the office wants to launch pilots for COAs 2 and 3 — which will leverage zero trust-compliant commercial cloud capabilities and government-owned clouds, respectively. McKeown said DOD is working with industry on those COAs, stressing to them the importance of having integrated solutions that meet target-level requirements.
The Pentagon CIO’s office will also continue work in facilitating assessments of vendor zero trust technology and integration, Resnick noted.
Companies are being asked to independently integrate and test their products to see if they reach target levels of zero trust. If those companies feel they have achieved the necessary requirements and the Defense Department agrees with the assessment, the vendors will be invited to participate in “purple team assessments” that test and analyze how both adversaries and cyber defenders act in the environment, Resnick explained.
If the integrated system meets target levels of zero trust or higher, then the Pentagon can officially give it the green light via adjudication, he said.
“It’s an important element of approval because that would give a signal to DOD and any other customer that this configuration with these hardware and software … delivered to us target-level [zero trust],” he added.
Conducting red, blue and combined purple team assessments of the environments is critical to delivering integrated zero-trust solutions, McKeown said.
“We have fielded lots of good cybersecurity tools throughout the [DOD Information Network] over the past decades. All of these tools served a purpose, but were not well integrated,” he said. “Integration is the key to making all of the tools work more synergistically together and improving the effectiveness of our cyber defenses.”
A need to go faster
As it continues to move forward with zero trust implementation, the DOD CIO’s office is incorporating mechanisms that aim to speed up the process and keep efforts on track for the 2027 deadline.
A key lesson came in recent months when the portfolio management office reviewed and approved the first zero trust implementation plans that each DOD agency and component submitted. The CIO’s office is requiring individual components to create and submit these implementation plans each year by October.
Resnick said his office approved all 39 of the submitted plans in January and then provided an update to Congress based on those reviews in March. It was an effort that required a lot of back-and-forth communication with each component and took 35 full-time employees three-and-a-half months to complete, he noted.
Now, the portfolio management office is looking at how it can automate the process for future years, Resnick said.
“It was a tremendous effort. We did it once, and the lessons learned here was that we really can’t repeat this process. It is untenable,” he said. “We need to automate the assessment process. We need to put it in electronic form where we could actually apply AI tools to actually ask questions and to achieve answers based on the submissions, and that’s where our head is going right now.”
In addition, DOD CIO John Sherman said that he is working to improve the authorization (ATO) and continuous authorization (cATO) processes that are used to minimize and manage cybersecurity risk responsibility for software systems.
Speaking Tuesday at the symposium, Sherman said it is likely that guidance on “reciprocity by default” will be released that will address the lengthy time and repetitive efforts associated with ATOs.
His office is also working on evaluation criteria for cATOs, with a draft already outlined and plans to talk with each of the services about their own cATO evaluation criteria underway, he said.
“It takes too long to get software deployed and other capabilities. And these are patriotic Americans working hard to do the right thing by implementing the [risk management framework], but we’ve got to do better on this,” Sherman said.
Reaching target levels and beyond
Although the Defense Department believes it is on track to reach target-level zero trust by 2027, Sherman highlighted that it still has plenty of work to do ahead of the deadline.
For example, the Pentagon has long discussed implementing an enterprise solution for identity, credential and access management (ICAM) — considered a key component of zero trust. The CIO’s office is still evaluating options for a federated ICAM solution, Sherman said.
Another ongoing effort is implementing zero trust practices in cloud environments, he added. The department is currently working with all four cloud services providers contracted under the Joint Warfighting Cloud Capability (JWCC) contract — Microsoft, Oracle, Amazon Web Services and Google — to conduct red-teaming assessments and understand zero trust in the cloud, he said.
The Pentagon is also continuing its investments in zero-trust capabilities and expanding the pool of vendors able to offer cyber protection, starting with endpoint security, Sherman noted. The department is already using Microsoft Defender for Endpoint — an enterprise endpoint security platform — for unclassified networks and plans to eventually use it for the secret level as well.
“There will be other opportunities for other cybersecurity service companies for other parts of the enterprise, for non-Microsoft endpoints,” Sherman said. “As we look at [operational technology] and elsewhere — as we expand zero trust out — we’re going to use other companies as well. We do not have a monoculture on one company here.”
As for what happens after the 2027 deadline, the Defense Department is already thinking about how it will implement what it refers to as “advanced levels” of zero trust cybersecurity — as well as other use cases for the architecture.
While target levels cover minimum data security requirements, advanced levels are defined as the achievement of the full set of capability outcomes. Along with the 91 activities that are needed to reach target zero trust, advanced levels will require an additional 61 activities, according to the DOD’s strategy.
“This is not a one and done. We’ve got the target-level zero trust and then the broader implementation of zero trust five years later,” Sherman said.
The Pentagon is also exploring how it will leverage zero trust beyond its information technology infrastructure, such as on weapon systems.
“It’s one thing to do this on networks, it’s another thing to do it on a weapons system or weapon platform, on operational technology, on [supervisory control and data acquisition systems] and so on,” he said. “It’s gonna be a bit of a lift there too. We’re gonna have to figure out how to do this as well because we know their threat vectors there.”
