The Defense Department officially unveiled a zero trust strategy and roadmap today laying out how DoD components should direct their cybersecurity investments and efforts in the coming years to reach a “target” level of zero trust maturity by 2027.
The release of DoD’s zero trust strategy follows on the heels of the White House Office of Management and Budget’s federal zero trust strategy published earlier this year. DoD’s strategy lays out a detailed and ambitious plan for defense components to attain specific zero trust capabilities by 2027.
The aim is to counter a “rapid growth” in offensive cyber threats by shifting away from a perimeter defense model to a “never trust always verify” mindset, DoD Chief Information Officer John Sherman wrote in the foreword to the strategy.
“Zero Trust is much more than an IT solution,” Sherman wrote. “Zero Trust may include certain products but is not a capability or device that may be bought. The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans. Perhaps most importantly, they must also address Zero Trust requirements within their staffing, training, and professional development processes as well.”
The strategy lays out four strategic goals: zero trust culture adoption; DoD information systems secured and defended; technology acceleration; and zero trust enablement.
DoD’s approach includes 45 separate “capabilities” organized around seven “pillars”: users, devices, networks and environments, applications and workloads, data, visibility and analytics, and automation and orchestration.
And it segments DoD’s expected progress across those pillars into “target” and “advanced” levels of zero trust. DoD expects the “target” level goals to be achieved by fiscal 2027, while the “advanced” capabilities will be attained in the years afterward, according to the strategy.
“The strategy makes zero trust tangible and achievable, while recognizing a dynamic and frankly continuous improvement approach,” Randy Resnick, director of DoD’s zero trust portfolio management office, said in a call with reporters Tuesday.
DoD also released an associated “zero trust capability execution roadmap” today laying out a baseline approach to zero trust using the department’s current IT infrastructure and capabilities, known in IT parlance as a “brownfield” approach.
DoD is also developing future zero trust roadmaps for both “commercial cloud” and “private cloud,” respectively. Those approaches are expected to achieve zero trust “quicker” than the five-year, baseline approach, according to the roadmap document.
DoD plans on piloting its zero trust approach with the four major commercial cloud providers involved in the Joint Warfighting Cloud Capability acquisition: Google, Oracle, Microsoft and Amazon Web Services.
“We gave them advanced copies of drafts what we’re working on,” Acting Principal Deputy CIO David McKeown said. “They were very encouraged that somebody had finally defined for them the things that they would need to hit in order to satisfy zero trust. . . . We have clearly defined a north star for these vendors and they were pretty happy with that.”
Deadlines and pilots
Component-level execution plans laying out “how Zero Trust is applied across their networks, including all infrastructure and systems,” are due to the DoD CIO’s office by Sept. 23, 2023.
“System owners are responsible for executing and enforcing the move to ZT and must understand risks associated with delaying implementation,” the strategy states. “Appropriate security controls, including potential refinements to how DoD implements the Risk Management Framework (RMF), must be designed and enforced to counter new attack vectors and emerging threats until a full rationalization of those systems can be conducted to either eliminate or modernize accordingly.”
DoD components are also being directed to pilot zero trust on three legacy systems over the course of the next year, according to the strategy. And one of the first key deadlines for DoD organizations is to log all network traffic by the fourth quarter of fiscal 2023.
By the end of 2023, DoD components should begin deployment of zero trust into production systems, according to the strategy.
Components will have to address funding for their zero trust plans through the annual budgeting process, the strategy states. “DoD CIO will work with Components to address any Component-level resourcing shortfalls, each fiscal year, within the annual Program Objective Memorandum (POM) cycle, starting with the next immediate submission. Additionally, DoD CIO will work with Components to submit requests for new funding to Congressional appropriators through the regular DoD resourcing processes.”
The strategy does not mandate any specific IT solutions or zero trust products. Instead it states, “components are free to select their own solutions and solution architectures, as long as they deliver the specified ZT Capability outcomes needed to reach the Target or Advanced Level ZT and are able to show that proof to their Authorizing Official and/or the ZT PfMO.”
The zero trust portfolio management office will take metrics reported by the components and provide the DoD Cyber Council with a “combined scorecard,” the strategy states, “to measure this strategic plan’s progress and identify additional risks that need to be mitigated to advance overall ZT strategic objectives.”
The council will serve as the primary authority on both zero trust technical and strategic direction, the strategy states. It is co-led by the DoD CIO and the DoD principal cyber advisor.
“Executing and achieving the objectives laid out in this strategy requires the coordinated efforts of the Joint Force and the entire defense ecosystem,” the strategy states. “Everyone in the department has a role to ensure the success of ZT. While protecting data is central to ZT, successfully implementing our ZT framework requires that the entire Department understands and embraces a culture of ZT.”