DOD aiming to accelerate zero trust adoption schedule
The Pentagon set a goal of implementing a zero-trust cybersecurity architecture across the department by the end of fiscal 2027, but now, officials have been asked to go significantly faster, according to a senior official.
Under the zero-trust concept, managers are supposed to assume that networks are already compromised by adversaries, meaning they must constantly monitor and authenticate users and their devices as they move through a network.
A Department of Defense strategy signed out in 2022 outlines “target levels” of zero trust, which are a minimum set of 91 capability outcomes that DOD agencies and components must meet to secure and protect networks. The Pentagon’s goal was to achieve those target levels no later than Sept. 30, 2027.
“As the cybersecurity chief for the department this is my number one project — implementing zero trust by 2027,” David McKeown, DOD’s deputy chief information officer for cybersecurity and senior information security officer, said Wednesday at DefenseTalks, presented by DefenseScoop.
Officials have said they’re on track to meet that deadline.
However, now the department is trying to move the schedule to the left, McKeown noted.
“We’ve been asked to see how we can accelerate that. We’re going to try to accelerate that by a year through a variety of means,” he said.
The military services and agencies within the DOD were tasked to come up with plans for how they’re going to implement zero trust. Those plans have been delivered, Congress has been briefed and the components are moving out on implementation.
“We had three different ways in which you could implement it. The first one was to uplift your current environment by adding all the necessary tools and capabilities and integrating them. Secondly, was to adopt commercial cloud solutions that already have the capabilities built in. And then lastly, purpose-built on prem clouds that also were proven to meet zero-trust capabilities. We see that most organizations, because of the diversity of their [network] terrain, are doing a hybrid of all of those things to achieve zero trust,” McKeown said.
“I’ve been preaching for a while, we need integrated products to do this. The products by themselves don’t work well together. We need to fully integrate them to achieve that zero-trust effect. So we’ve been working with a lot of vendors out there on [courses of action] one through three on how we can best deliver integrated products to the folks working on zero trust there. And we continue to look to vendors to interface with us on emerging technology and those integrated solutions for implementing zero trust,” he added.