Pentagon looks to use AI, automation for zero trust assessments

The Defense Department is soliciting ideas for how artificial intelligence and machine learning capabilities can assist in the zero-trust assessment process as the deadline to reach target-level compliance approaches.

According to a request for information posted Tuesday, the DOD’s Zero Trust Portfolio Management Office is interested in leveraging “automation, AI and ML to accelerate and scale [zero trust] assessments” across the entire department — specifically for “purple team assessments.” The technologies will help the Pentagon mitigate its limited capacity to validate initial compliance and conduct continuous assessments, the RFI noted.

Zero trust is a cybersecurity concept that assumes IT networks and systems are constantly under attack by adversaries, requiring the Pentagon to continuously monitor and authenticate users and their devices as they move through the network. The department’s Zero Trust Strategy mandates all DOD components to achieve “target levels” of zero trust by the end of fiscal 2027.

Validating compliance requires a combination of internal and third-party assessments. A key part of the Pentagon’s independent evaluation process is a method called purple teaming, which analyzes and tests both how “red team” adversaries and “blue force” cyber defenders move and interact in an IT network.

However, officials have previously noted that conducting comprehensive purple teaming can be a time-consuming process that can take warfighters away from other important missions.

And with the deadline to achieve target-level zero trust looming — meaning more solutions will have to be validated through purple teaming — the portfolio management office wants to see if AI capabilities can help with initial approval and future continuous monitoring.

Officials are asking vendors to submit ideas for commercial off-the-shelf, AI/ML-enabled platforms and services that can scale purple teaming for zero trust evaluations on both unclassified and secret networks.

“These evaluations will assess the proper implementation of core Zero Trust requirements for adequacy and efficiency, while identifying limitations, compliance failures, and facilitating continuous assessment requirements for the 91 Target level Zero Trust activities and the ten Zero Trust Acceptance Criteria,” the RFI stated.

Interested companies are being asked to provide their input on a range of questions on how specifically AI and automation can assist the purple team process — from how the technology can simulate realistic cyberattack scenarios to how it can generate comprehensive final assessment reports and recommendations.

The portfolio management office is also interested in emerging AI trends that are likely to impact evaluations and what innovative capabilities are currently being explored that could enhance purple teaming in the future.

The deadline to submit responses to the RFI is Feb. 9.