New DoD zero trust strategy to reduce attack surface, while enabling risk management and effective data-sharing 

The U.S. Department of Defense (DoD) published this week its zero trust strategy and roadmap that envisions a DoD information enterprise secured by a fully implemented, department-wide zero trust cybersecurity framework. The DoD zero trust cybersecurity framework will largely work towards reducing the attack surface, enabling risk management, and delivering effective data-sharing in partnership environments, apart from containing and remediating adversary activities.

The DoD zero trust strategy defines an adaptive approach for how DoD must champion and accelerate the shift to a zero-trust architecture and framework that secures and protects DoD information enterprise within the Joint Information Environment (JIE) and specifically the DoD Information Network (DODIN). 

The strategy intends to establish the parameters and target levels necessary to achieve zero trust adoption across systems and networks. Additionally, the approach emphasizes the need for DoD and its components to embrace evolving technology while adapting and responding to known and unknown malicious hackers. It involves the full breadth of stakeholders in the DoD zero trust ecosystem and allows the strategic implementation to begin immediately.

The DoD zero trust strategy provides necessary guidance for advancing zero trust concept development; gap analysis, requirements development, implementation, execution decision-making; and, ultimately, procurement and deployment of required zero trust capabilities and activities that will have meaningful and measurable cybersecurity impacts upon adversaries. 

With current and future cyber threats and attacks driving the need for a zero trust approach beyond the traditional perimeter defense approach, the DoD intends to implement distinct zero trust capabilities and activities as outlined in the strategy and associated roadmap by FY27, the document said.

The strategy outlines four high-level and integrated strategic goals that define what the Department will do to achieve its vision of zero trust. These include zero trust cultural adoption where all DoD personnel are aware, understand, trained, and committed to a zero trust mindset and culture and support integration of the approach. The DoD information systems secured and defended cover cybersecurity practices that incorporate and operationalize zero trust in new and legacy systems, while technology acceleration involves technologies that deploy at a pace equal to or exceeding industry advancements. Lastly, zero trust enablement will comprise department- and component-level processes, policies, and funding, which are largely synchronized with zero trust principles and approaches.

The strategy also refers to the seven DoD zero trust pillars, which is the basis for the strategy’s zero trust capability roadmap, a capabilities-based execution plan, and the DoD zero trust and cybersecurity reference architectures. Finally, the strategy provides high-level guidance on resourcing and acquisition, measurement and metrics, and governance. 

“Importantly, this document serves only as a strategy, not a solution architecture. Zero Trust Solution Architectures can and should be designed and guided by the details found within this document,” John Sherman, chief information officer at the DoD, wrote in the document. “We must adapt, remain agile, and execute on synchronizing Zero Trust efforts across and throughout the Department. If we do not do this together, our teammates’ vulnerabilities will remain exposed and open to attack, which makes all of us less strong. We need to make certain that when malicious actors attempt to breach our Zero Trust defenses; they can no longer roam freely through our networks and threaten our ability to deliver maximum support to the warfighter,” he added.

In January this year, the DoD established the DoD Zero Trust Portfolio Management Office (ZT PfMO) within the DoD CIO, to orchestrate the DoD efforts outlined in this DoD Zero Trust Strategy document and to accelerate ZT adoption through several courses of action. “Recognizing that the starting point for Zero Trust and maturity levels varies between components, Components must align their ZT solution architectures and execution plans accordingly to this strategy so that overall DoD Enterprise ZT outcomes are achieved and in alignment to the DoD ZT PfMO schedule,” the zero trust strategy document noted. 

The DoD zero trust strategy also highlights DoD CIO-led efforts, through the PfMO, to accelerate zero trust as part of its responsibilities for all matters relating to the DoD information enterprise. These include component information network infrastructure, DoD enterprise IT service and solutions, national security systems, industrial control systems, and embedded computing of wired, wireless, and mobile communication and platforms.

To accelerate the adoption of the full set of zero trust capabilities, the DoD is also considering several courses of action (COAs) to include commercial and Government-owned cloud-based enterprise services. These and other adoption acceleration opportunities, including compressed or accelerated execution timelines, will be iteratively defined, developed, and deployed as part of future strategy execution. The DoD information enterprise and, specifically, the DODIN’s cybersecurity capabilities must be able to prevent malicious actors from affecting DoD’s ability to detect, deter, deny, defend, and recover from malicious cyber activity across all operational environments. 

“The Target Level ZT24 is the minimum set of ZT capability outcomes and activities necessary to secure and protect the Department’s DAAS to manage risks from currently known threats,” the document said. “While the DoD ZT Framework will mature and adapt over time, the current strategic context dictates an immediate focus on expediting investments in core ZT capabilities and technologies. The Department and its Components must achieve the Target Level ZT as soon as possible. With the Target Level ZT achieved, the ZT PfMO will monitor continued compliance and guide movement to Advanced ZT as DoD mitigates current risks.” 

It added that based on the need to continue the evolution towards a next-generation security architecture and address new threats as malicious hackers adjust to DoD’s improved security posture, the zero trust PfMO may also modify how this strategy defines the target level of zero trust. Using a phased approach to achieve all targeted zero trust capabilities will make realizing the vision of the DoD zero trust strategy possible. 

Achieving the DoD Zero Trust Strategy will enable users to access required data from anywhere, from any authorized and authenticated user and device, fully secured. It will also enable secured and protected information systems facilitating the DoD’s evolution into a more agile, more mobile, cloud-supported workforce, using reduced attack surface risk profiles through protective actions enabled by micro-segmentation of the DoD information enterprise.

It will also address threats to the cloud, artificial intelligence (AI), and command, control, communications, computers, and intelligence (C4I) remediated through risk-based cybersecurity protocols and policies. Furthermore, the DoD zero trust strategy will deliver effective damage containment, mitigation, and remediation when a device, network, user, or credential is compromised. It will also bring in consistent, aligned, and effectively resourced zero trust capabilities for advanced cybersecurity operations and a resilient DoD information enterprise that recovers rapidly from attacks and minimizes damage through the enablement of zero trust. 

The DoD chalks that the path to achieving impactful security benefits with zero trust is through an iterative process that must be continuously refined as the strategic context evolves DoD and its components execute their action plans, and federal guidance evolves. The department will periodically reevaluate the effectiveness of its strategy and make course adjustments as needed. 

“Acting on behalf of the DoD Cyber Council and through applicable DoD offices of primary responsibility and in coordination with the Components, the Director of the ZT PfMO orchestrates overall strategy execution,” the document said. “The PfMO will work closely with Components to define, develop, and adapt execution plans to achieve each of the goals and objectives outlined.”

The starting point for zero trust and maturity levels vary across the DoD information enterprise due to completed, ongoing, and planned initiatives. Moving forward, components must align their execution plans to this strategy to achieve the outcomes and identify implementation opportunities and obstacles. 

Legacy infrastructure and systems may not require or justify immediate zero trust retrofit and depending on where and how installed, may not comply with mandated adoption. Components and system owners must submit on an annual basis any request for a waiver to the zero trust PfMO for DoD CIO approval based on a predefined set of standards designed to ensure maximum security of DoD networks. 

“System owners are responsible for executing and enforcing the move to ZT and must understand risks associated with delaying implementation,” the document said. “Appropriate security controls, including potential refinements to how DoD implements the Risk Management Framework (RMF), must be designed and enforced to counter new attack vectors and emerging threats until a full rationalization of those systems can be conducted to either eliminate or modernize accordingly,” it added. 

Executing and achieving the objectives laid out in the DoD zero trust strategy requires the coordinated efforts of the joint force and the entire defense ecosystem. “Everyone in the Department has a role to ensure the success of ZT. While protecting data is central to ZT, successfully implementing our ZT Framework requires that the entire Department understands and embraces a culture of ZT. To achieve the DoD Zero Trust Strategic Vision, the Department must pursue the strategic goals outlined above as an enterprise,” the document observed. 

“While this is an enormous task, DoD has already made significant progress. Dating over a decade, DoD has advanced cybersecurity through initiatives such as continuous monitoring, multifactor authentication, and others,” according to the DoD document. “The technologies and solutions that create ZT, and the benefits it provides, must become a part of the Department’s lexicon and be accounted for in every plan and operation. Cybersecurity in the world today is, by definition, a moving target, and while it may move, the concept and the culture will remain the same, even as the Department adapts and refines the strategy.” 

Ongoing and open communication and coordination, underpinned by proper funding and resourcing, are key to the strategy’s success. The department’s ability to protect, and by extension, DoD personnel against the array of increasingly sophisticated cybersecurity threats depends on it, the document added.

Last week, the U.S. Government Accountability Office (GAO) disclosed that the DoD has not fully implemented its processes for managing cyber incidents. It also does not have complete data on cyber incidents that staff report and fails to document whether it notifies individuals whose personal data is compromised in a cyber incident.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.