The Department of Defense on Tuesday released its Zero Trust Strategy and Roadmap, which outlines how it plans to go beyond traditional cybersecurity approaches to achieve reduced cyber attack surfaces, enable effective risk management and data sharing in a partner environment, and prevent and remediate active adversaries over the next 5 years.
David McKeown, acting director of information for the department, said: “Do not trust is a framework to go beyond relying solely on perimeter-based cybersecurity defense tools and essentially assume that crimes have occurred within our boundaries and react accordingly.”
McKeown said the department has spent a year now developing plans to bring the department into a non-trust structure by fiscal year 2027. Part of that effort is the development of the Office of Distrust Portfolio Management. trust, was established earlier this year.
“With the announcement of this strategy, we made it clear ‘how’ we can address clear results on how to achieve zero confidence – and not just drive technology adoption, like discussed, but also the culture of distrust at DOD and the integrated approach at the divisional and component levels.”
Mr. McKeown said getting the Department of Defense to achieve the goals set out in the Zero Trust Strategy and Roadmap would be “ambitious work”.
Randy Resnick, who serves as director of the Zero Trust Portfolio Management Office, is responsible for ensuring that much of that work gets done.
“With zero trust, we assume a network has been compromised,” Resnick said. “And through periodic user authentication and authorization, we will prevent and discourage enemies from moving through the network, while quickly identifying them and minimizing the damage and vulnerabilities they have.” may have been exploited.”
Resnick explained the difference between trustless and secure architecture on today’s network, assuming a degree of trust for anyone already on the network.
“If we compare this to home security, we can say that we normally lock our windows and doors and only people with keys can get in,” he said. “With zero trust, we’ve identified valuable items in the home, and we put guards and locks inside each of those items in the home. This is the level of security we need. against sophisticated cyber adversaries.”
The Zero Trust Strategy and Roadmap outlines four high-level and integrated strategic goals that define what the department will do to achieve that level of security. Including:
- Adopt a Zero Trust culture — All DOD employees understand and are aware of, trained and committed to the Zero Trust mindset and culture to support Zero Trust integration.
- Secure and Protected DOD Information Systems — Cybersecurity measures incorporate and operate with zero trust in old and new systems.
- Technology Acceleration — Technology deploys at a rate that equals or exceeds industry advances.
- Zero Trust Support — Divisional and component-level funding, policies, and processes are synchronized with the Zero Trust approach and principles.
Resnick said the development of the Zero Trust Strategy and Roadmap was carried out in collaboration with the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, and Cyber Command. United States and military services.
The Department and its partners have worked together to develop a total of 45 capabilities, and more than 100 activities derived from those capabilities, many of which the department and divisions will engage as a whole. part of successfully achieving the baseline or “target level” Resnick said conforming to a trustless architecture for a period of 5 years.
“Each possibility, of the 45 possibilities, falls within what we call a ‘target’ or ‘advanced’ confidence level. “The DOD target level of distrust is considered the required minimum set of distrust capabilities results and activities required to secure and protect your data, applications, assets, and services.” Department, to manage the risk from all cyber threats to the Department of Defense.”
On the whole, every agency will have to adhere to the target-level implementation outlined in the Zero Trust Strategy and Roadmap. Only a few can reach higher levels.
“If you’re a national security system, we might ask for an enhanced level for those systems,” McKeown said. “But real enhancement isn’t necessary for literally every existing system. We have a positive goal of reaching the ‘goal’ by 2027. And we want to encourage those in need. their data security requirements are higher applying this advanced level.”
Resnick said achieving the target level of distrust does not equate to a lower standard of cybersecurity.
“We define targeting as the extent of our ability to actually stop, slow, or stop an adversary from exploiting our network,” he said. “Compared to today, where an adversary could perform an attack and then traverse the network, often below noise detection, with zero confidence, that wouldn’t be possible. .”
Resnick said that by 2027, the department will be more prepared to prevent adversaries from attacking the DOD network and mitigate damage should that happen.
“The level of distrust of the target will be the ability to stop the enemy, prevent their freedom of movement, not only to go sideways, but also to be able to see the network, enumerate the network and even try to exploit the network ,” he said.
If more is needed later on, the requirements to meet the target compliance level could be adjusted, he said.
“The target will always remain at the level where we are seeing and stopping the enemy,” he said. “And for the majority of DOD, that’s really our goal.”