The Marine Corps is integrating its identity and credentialing functions with the Naval Identity Service (NIS) by the end of 2024 as the first step of its “crawl, walk, run” approach to creating a zero trust security architecture, a top Marine Corps tech official said on Sept. 25.
Shery Thomas – the cyber technology officer and technical director for the Marine Corps Information Command, Cyberspace Command, and Space Command – shared updates and plans to meet the looming 2027 deadline for the Corps full transition to zero trust during a Federal News Network event on Sept. 25.
The first step in the zero trust strategy, Thomas explained, involves integrating Marine Online – an online platform launched in 2002 that offers tools and resources to Marines – with the NIS using Hyperion for identity and access management. The integration aims to enhance security across both the U.S. Navy and Marine Corps.
“It’s federation of identity for both the Navy and the Marine Corps on whatever platform they’re using it on and then we’re going improve upon that across the entire joint service at a higher level,” said Thomas.
“This meets the Commandant of the Marine Corps guidance to integrate with the Navy at every level possible and to deliver combat power,” Thomas said. “NIS will provide the foundation for the Marine Corps enterprise network, zero trust,” address some authentication use cases, “and federate identity information across” the Defense Department, Thomas said.
Currently, some legacy applications require single sign-on while others are in the migratory process, Thomas said, adding that the goal is to streamline back-end systems so that users regardless of their device can access multiple applications without IT bottlenecks. The transition will improve speed “dramatically” and improve “mission effectiveness,” Thomas said.
“Marine Online is the administrative task, then we’ll see how this behaves, how the users react to it and then extrapolate upon it in terms of warfighting mission areas or intel mission areas that cannot have that kind of a pattern and have better functionality for the user, because it’s relevant,” said Thomas.
One of the greatest challenges the Marine Corps is facing in its transition to zero trust for its operational technology (OT) environment is the mix of brownfield and greenfield systems.
“Not every system can get to that [full zero trust transition] because of how it was built originally, unless you tear down the entire system and retrieve it, which is not doable, most likely, because those are operationally relevant things that are out there. Now we have to figure out the best of breed solutions,” said Thomas, saying that the Corps must take a “quasi-zero trust approach.”
The Marine Corps has adopted a strategy of focusing on specific zero trust principles to address the complexities of OT systems, including network segmentation, access control, continuous monitoring, and prioritizing network protection over identity management.
Other priorities of the Marine Corps in zero trust includes “velocity, alignment, and divestiture,” the official said.
“Velocity means, how fast can we put it out to the force? It cannot be so complicated that it configures and it’s 30 minutes down,” said Thomas. “Alignment is I don’t want haves and have nots. A couple of good individuals have the greatest, best technology, the other people [do not]. And the third one, I need to get rid of old stuff so we can go after new stuff.”
DoD strategy issued in 2022 outlines zero trust target levels including a minimum of 91 capability outcomes that DoD agencies must meet by Sept. 2027. The strategy is based on a seven-pillar zero trust model including user, devices, applications and workloads, data, network in the environment, visibility and analytics, and automation and orchestration.