Comply-to-Connect is Key to Zero Trust for DoD

By Melissa Trace, Vice President, Global Government Solutions at Forescout Technologies

Research from Forescout’s Vedere Labs reveals that government organizations have the highest percentage of devices with risk. Between the explosion of remote work, the ongoing ransomware epidemic and the fact that the number of non-traditional assets – such as IoT, OT and IoMT – outnumber the volume of traditional IT assets, agencies are well aware of the need to evolve the cybersecurity of government networks. In fact, relative to the private sector, government is reportedly leading the charge in the adoption of zero trust.

The allure of zero trust methodology is the ability to restrict access to data resources by assessing user-resource connection requests in the most granular method possible. Agencies turn to the primary zero trust authority, Draft NIST Special Publication (SP) 800-207: Zero Trust Architecture  (NIST SP 800-207), which provides the following steps for introducing zero trust to a perimeter-based architected network:

  1. Identify actors on the enterprise;
  2. Identify assets owned by the enterprise;
  3. Identify key processes and evaluate risk associated with executing them;
  4. Formulate policies for the zero trust architecture candidate policy enforcement point (PEP);
  5. Identify candidate PEP solutions;
  6. Begin deployment monitoring; and
  7. Expand the zero trust architecture.

The very first steps are an undertaking for an organization as comprehensive as the Department of Defense (DoD). The DoD Information Network (DoDIN) spans thousands of networks, each with thousands of connected devices and connected systems. Simply knowing all of the IT assets on the DoDIN has always been a challenge.

Comply-to-Connect Leverages Zero Trust Principles for the DoD

The DoD launched Comply-to-Connect (C2C), one of the largest government cybersecurity efforts globally, to effectively boost its cybersecurity posture across the enterprise. C2C leverages zero trust’s least privilege principles to protect access to data resources and assets.

C2C provides the foundation of the DoD’s zero trust journey and is the next step in the evolution of security throughout the DoDIN at both the classified and non-classified levels. A major distinction between C2C and previous security programs is that C2C seeks visibility of all assets (both traditional and non-traditional). Whereas other enterprise security solutions focus on a subset of DoDIN-connected devices, C2C applies to all categories of DoDIN-connected devices: workstations/servers, mobile devices, user peripherals, platform IT devices, IoT devices, and network infrastructure devices.

Further, DoD’s C2C policy allows teams to authenticate the security posture for the endpoint of each resource prior to granting access to the network. Before access is given, all devices are examined to ascertain compatibility with organization policy. In accordance with zero trust, systems and devices are, then, only granted access to appropriate network areas. All connected devices are continually monitored with the ability to address any cyber-related discrepancies through automated action within the C2C framework.

The two main objectives of C2C are:

  1. C2C fills existing capability gaps in currently fielded enterprise security solutions through complete device identification, device and user authentication, and security compliance assessment.
  2. C2C automates routine security administrative functions, remediation of noncompliant devices and incident response through the integration of multiple management and security products and continuous monitoring.

The Importance of Visibility and Monitoring

Visibility and monitoring are prerequisites to DoD’s zero trust “never trust, always verify” authentication and compliance policies. They are also at the core of every government journey to zero trust, whether they are just beginning or have attained some level of maturity.