Comply-to-Connect began in 2013 as the Department of Defense’s (DoD) program to help the service branches prevent unsecured devices from connecting to the DoD network. Long before that, in the mid-to-late 1990s, Michael Overstreet served as an Air Force information warfare officer working on cyber defense. Now, Overstreet is director of systems engineering at Cisco, and in this recent interview, he discusses how Comply-to-Connect has evolved – and how it today uses zero trust principles to protect access to the DoD network and data.
MeriTalk: Given your military experience, what changes have you witnessed over the years in how the armed forces approach cybersecurity?
Overstreet: Back in the mid- to late 1990s, cyber as an offensive and defensive capability for the military was essentially an afterthought. Now, it’s very much in the forefront of the defense mindset and is built into protections for warfighters, equipment, and networks. The services try to make networks operational from a cyber point of view, using the network as a sensor to identify potential cyber threats. It’s a profound change.
MeriTalk: Let’s talk about DoD’s Comply-to-Connect (C2C) program, which began in 2013 with endpoint management to help the service branches prevent unsecured devices from connecting to the DoD Information Network. From your perspective, how has the C2C program evolved?
Overstreet: Comply-to-Connect is aimed at securing our nation’s defense networks. At the start, Comply-to-Connect focused on identifying DoD and non-DoD devices and only allowing DoD devices to connect to the network. Now that the DoD departments understand what is on their networks, Comply-to-Connect has evolved to enable them to segment their networks and apply more granular policies for access. As a result, it’s much harder for bad actors to successfully attack the DoD.
MeriTalk: The C2C program uses zero trust principles to protect access to the DoD network and data. In your opinion, how far ahead of the zero trust curve is the DoD, in comparison to civilian agencies and the private sector?
Overstreet: DoD has led government and industry in the identity pillar of zero trust, with PIV and CAC cards for user authentication and single sign-on, as well as the implementation of certificates for device identification. I essentially see Comply-to-Connect as the DoD’s implementation of zero trust in an earlier format. Today, civilian agencies are catching up to DoD. In the private sector, it depends on where you look. Some parts of the private sector are struggling, but the banking industry, for example, may be a little ahead of DoD.
MeriTalk: What is the first thing DoD agencies should do when they are evaluating cybersecurity technologies to meet C2C requirements?
Overstreet: That is a great question. Agencies should first review their existing cybersecurity tools to determine what they already have that meets DoD requirements for zero trust, or any of the other frameworks that potentially could be applied. Comply-to Connect should not be a rip and replace endeavor. This evaluation serves another purpose, too, because it helps determine where agencies have gaps in their cybersecurity protection.
MeriTalk: What’s the next step when agencies identify those gaps??
Overstreet: My approach would be to align Comply-to-Connect with zero trust capability models to identify gaps. If you determine that you don’t have protection in certain areas, you then have a roadmap to fulfill the requirements of zero trust and Comply-to-Connect.
MeriTalk: You noted that Comply-to-Connect shouldn’t mean rip and replace. How can DoD agencies use their current cybersecurity technologies to meet the requirements of C2C?
Overstreet: The key is integration. Many vendors will build an integrated solution using what the DoD already has in place. Cisco has done that over and over. More and more, integrations between security solutions are built in. Integration doesn’t happen at the click of a button, but it’s worth the effort. DoD agencies can increase their security posture dramatically by leveraging those existing integrations.
MeriTalk: What are the components of Cisco’s C2C solution, and how do they work together – and with other cybersecurity technologies?
Overstreet: Part of our solution for Comply-to-Connect is Cisco’s Identity Services Engine (ISE), which is a policy orchestration tool that gathers intelligence to authenticate users and endpoints and to automatically contain threats. ISE also has integrations into other products, such as ServiceNow’s CMDB, and on the endpoint, solutions including Microsoft, Trellix, and Tenable, which help to identify assets that are trying to join the DoD network and determine if those assets comply with DoD policy. Cisco’s solution also integrates with security information and event management (SIEM) technology to support threat detection, compliance, and security incident management.
MeriTalk: In your experience, what are some of the tangible benefits of C2C today, and what benefits should DoD organizations experience in the future?
Overstreet: Today, C2C is dramatically improving visibility across the network, as well as the ability to identify vulnerabilities and isolate hosts with vulnerabilities.
Here’s a scenario where I think C2C will help in the future: A service member based in D.C. goes on a temporary duty assignment to San Diego. If Comply-to-Connect moves forward the way the military wants it to, that user’s policy should follow him or her to San Diego, with the same user experience and policy and permissions to work on the network in San Diego. That’s not the case today. But it’s coming. C2C should also be able to solve problems where we need to move quickly, such as isolating devices that are affected by a zero-day attack. DoD has this capability today; soon, C2C is going to enable the department to remove a vast number of affected devices with pinpoint accuracy.
MeriTalk: How is Cisco’s approach to C2C different from other cybersecurity solutions providers?
Overstreet: I think ours is more holistic. Our solution isn’t just the ISE policy engine. It’s also native network access controlling devices, like routers, switches, and VPN concentrators. All of that is a huge differentiator. But we’re not trying to be the end-all, be-all solution for DoD. We also see opportunities for us to partner and use integrations to help solve the C2C problem, and that’s one of our strengths as .
For more information about Cisco’s Comply-to-Connect solution and other government solutions, visit cisco.com/go/securegovernment.