The Defense Department officially launched its zero trust strategy and road map Tuesday, part of a larger strategy to overhaul the way federal agencies combat sophisticated threat actors, including those from criminal organizations and rogue nation states.
The DOD will move away from a perimeter-based approach for IT systems defense to a system that essentially assumes the risk of breach during regular interactions and will act accordingly. The plan calls for the Pentagon's full implementation of the strategy and road map by fiscal 2027.
“With zero trust we are assuming that a network is already compromised,” Randy Resnick, director of the zero trust portfolio management office at the Defense Department, said Tuesday during a conference call with reporters. “And through recurring user authentication and authentic authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited.”
Zero trust is an environment where a network is secured in a way that any person or device that interacts with those systems are considered a potential threat. They must be properly authenticated and allowed access to the information they need.
Resnick compared the situation to home security, where traditionally a homeowner places locks on all the doors and windows and only those with keys can get in. In a zero trust environment, any items of value inside the home are identified and guards and locks secure each one of those items too.
Under the strategy, the Pentagon plans to limit the ability of threat actors to gain access and evade detection inside the agency’s systems, with a particular emphasis on denying the ability to move laterally within systems.
Officials are also focused on preventing identify theft and will enforce multifactor authentication.
DOD and the defense industrial base has been the target of more than 12,000 cyberattacks since 2015, a report by the Government Accountability Office released earlier this month showed.
Microsoft, in a blog post released Tuesday, praised the DOD announcement on zero trust, noting the challenge of collaborating on zero trust amid the difficulties of comparing implementations across various organizations and technology stacks.
“However the level of detail found in the DoD’s strategy provides a vendor-agnostic, common lens to evaluate the maturity of a variety of existing and planned implementations that were derived from the DoD’s unique insights on cybersecurity,” Steve Faehl, federal security CTO at Microsoft, said in the blog post.
Microsoft has a vested interest in the Pentagon's technology stack. The agency is scheduled to award its $9 billion cloud contract, the Joint Warfighting Cloud Capability in December, according to a DOD spokesperson. JWCC is the multicloud successor to the scuttled $10 billion Joint Enterprise Defense Infrastructure contract that was originally awarded to Microsoft.
Microsoft has been working with the U.S. Navy on a program called Flank Speed, a 2021 transition where hundreds of thousands of personnel were transitioned over to a single Microsoft Office 365 environment.
Kevin Orr, president of RSA Federal, called the zero trust rollout a promising step forward that will help the Pentagon combat threats within their environment as well as those potentially introduced by third-party suppliers.
“It is especially promising to see the goals of this strategy take into account cultural adoption, addressing new and legacy systems, organizational processes and advanced technology adoption,” Orr said via email. “This philosophy takes into account a comprehensive cybersecurity ecosystem and also raises the bar for any organization working with the DOD to shore up their cybersecurity defenses.”
