Across several agencies with the Department of Defense (DoD), building a zero-trust architecture to secure IT systems is becoming the strategy of choice for agency leaders as several confirmed efforts to transition over from a traditional perimeter approach today.
From pilot programs to sparking a cultural shift toward zero trust, defense officials shared how component agencies are embracing the flexible approach to cybersecurity. The National Security Agency (NSA), Defense Information Systems Agency (DISA), U.S. Cyber Command, and the DoD Office of the CIO are all collaborating on a zero-trust pilot, according to DISA Security Enablers Portfolio Chief Engineer Brandon Iske.
“Zero trust from our perspective is very much a journey and a change in mindset and culture,” Iske said at an AFCEA event on October 8. “This is actually for us a joint effort that we’re working on with NSA under guidance from U.S. Cyber Command and DoD CIO, so really what NSA and DISA are doing is really defining the principles here.”
Iske continued that a lot of the principles are based off of National Institute of Standards and Technology guidance on zero trust, and the agencies are also putting a reference zero-trust architecture together based on existing DoD enterprise services and capabilities. “We’re leveraging the same set of principles and guiding concepts that are very common here across the board so that includes never trust always verify, assume breach, and verify explicitly,” he explained.
The U.S. Army is also preparing to switch to zero trust throughout Fiscal Year 2021. Patrick Dedham, deputy to the commander/senior technical director/chief engineer at the Army’s NETCOM division, said that his agency’s two goals are solidifying the zero-trust architecture and devising a long-term plan for implementation.
“You can’t just divest in that perimeter security that we’ve invested in for a very long time and then just go zero trust,” he cautioned, “you’ve got to come up with a plan that you can slowly divest and improve security as you build up your zero trust capabilities.”
In the remote environment, component agencies such as the U.S. Marine Corps are guiding the workforce through the shift to zero trust. “I’m also trying to help the workforce understand this is the best way we can secure the information you’re accessing,” U.S. Marine Corps Forces Cyberspace Command Cyber Technology Officer Renata Spinks said at the event.
“The evolution of zero trust is going to be what keeps us most busy and keeps us continuing the emphasis of partnering with industry and each other,” she added.
At the U.S. Navy, CISO Chris Clearly agreed a hurdle has been helping warfighters understand why zero trust is such a critical pivot to make. While the IT staff already understand the value of zero trust, those outside of the tech bubble may face a steeper learning curve. The pandemic and mass shift to telework, however, has helped push zero trust efforts ahead.
“[COVID has] driven us to adopt and focus in on what we need to do in regard to zero trust probably faster than we would’ve without COVID being here,” Clearly said.
Meanwhile, Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections (TIC) Program Manager Sean Connelly is gearing up to help agencies transition to zero trust by publishing Federal use cases involving the strategy. “We are exploring having a zero-trust use case come out,” he said at the event. “What we’ll do is we’ll work with the Federal CIO and CISO Councils, vendors, and of course agencies.”
Agencies will look at positioning zero trust pilots while CISA, the General Services Administration, and other stakeholders distill lessons learned to be applied to a TIC use case. Then, the use cases will be distributed via the Federal CISO Council for broader adoption, Connelly explained.