Defense Department Cybersecurity: All Ahead on Zero Trust

With the Defense Department’s quick and successful pivot to a remote workforce last Spring via its Commercial Virtual Remote (CVR) environment, it proved that the future to fully operate from anywhere in the world is now. Gone are the days of thousands of civilian employees heading into the Pentagon or other installations everyday. However, with this new disparate workforce comes increased risks for network security.

As my colleague Bill Wright expertly noted last Summer:

“Given this unexpected shift to a more distributed workforce, agencies are taking an increased interest in Zero Trust architectures – a security model that assumes that there are attackers both within and outside of the network, such that no users or machines should be automatically trusted.”

Likewise, the Pentagon’s cyber leadership has weighed in on the importance of Zero Trust architecture today.  Last Fall John Sherman, currently the Acting Chief Information Officer at the Pentagon, said Zero Trust will likely be the way that the Department has to operate moving forward.

Zero Trust in the DoD

Zero Trust is not a new concept for the Department. In its Digital Modernization Strategy, now on the books for nearly two calendar years, DoD clearly stated that Zero Trust architectures were part of “technologies offering promise to DoD.” Appendix A to the Strategy goes on to detail that the DoD Chief Information Officer, Defense Information Systems Agency (DISA), U.S. Cyber Command, and the National Security Agency (NSA) are working together to explore how the Department can best utilize Zero Trust.

While careful to note the potential complexity, the Strategy calls for the deployment of Zero Trust within commercial cloud environments, and highlights the criticality of both security automation and orchestration, as well as the need for added analytical capacity to “handle the required sensor and logging data associated with zero trust security.” 

In its most recent Strategic Plan, covering Fiscal Years 2019-2022, DISA identified Zero Trust as a key aspect of their efforts to strengthen their defensive architecture. DISA’s 2021-2022 Agency Technology Roadmap also lists Zero Trust as an enabling activity for cyber defense. In the coming year, plans should be underway to “define [a] reference architecture, develop policy, and test and implement [the] capability.” Last Summer’s DISA Look Book identified seven pillars or focus areas of Zero Trust: user, devices, network/environment, application/workload, data, visibility and analytics, and automation and orchestration. Given this level of planning, it is likely that we can expect to see additional details in the upcoming Fiscal Year 2022 budget request. Clear guidance from the Office of the Secretary of Defense could allow the Services to better plan for future acquisitions that fit into a Zero Trust architecture. 

Congress has taken note as well. Zero Trust has found its way into successive National Defense Authorization Acts for both Fiscal Year 2020 and 2021. In 2020’s bill, Congress directed that the Secretary establish a digital engineering capability to automate testing and evaluation in the acquisition process. Within that capability was a requirement for software that supported security testing and assessments with zero trust assumptions.

Congress followed that this year with a requirement for a pilot program on cybersecurity capability metrics. As part of that pilot program, Congress noted that the Secretary, acting through the Chief Information Officer and Commander of U.S. Cyber Command, may assess “technologies relevant to Zero Trust architectures”, among other areas. Based on established and forthcoming policy, as well as legislation, it’s clear that Zero Trust is going to be a key factor in the Department’s defensive cyber efforts moving forward. All ahead on Zero Trust!


For more information, check out Splunk’s Guide to Embracing a Zero Trust Security Model in Government.