IRIA News

U.S. Department of Defense released its “Zero Trust Strategy and Roadmap” to counter network attacks, enable risk management and effective data-sharing, and contain adversary activities over the next five years.

The Zero Trust Strategy and Roadmap was developed by the Defense Department in collaboration with the National Security Agency, the Defense Information Systems Agency, the Defense Manpower Data Center, U.S. Cyber Command, and the military services.

The Defense department’s acting chief information officer David McKeown described the Zero Trust as a “framework for moving beyond relying on perimeter-based cybersecurity defense tools alone and basically assuming that breach has occurred within our boundary and responding accordingly.”

According to McKeown, the Department of Defense has spent over a year developing plans to get the department to a zero trust architecture by the fiscal year 2027 and the development of a Zero Trust Portfolio Management Office was part of those efforts.

“With the publication of this strategy we have articulated the ‘how’ that can address clear outcomes of how to get to zero trust — and not only accelerated technology adoption, as discussed but also a culture of zero trust at DOD and an integrated approach at the department and the component levels,” he said.

Director of the Zero Trust Portfolio Management Office Randy Resnick said that “With zero trust, we are assuming that a network is already compromised. And through recurring user authentication and authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited.”

Resnick while describing the Zero Trust features said that “If we compare this to our home security, we could say that we traditionally lock our windows and doors and that only those with the key can gain access… With zero trust, we have identified the items of value within the house and we place guards and locks within each one of those items inside the house. This is the level of security that we need to counter sophisticated cyber adversaries.”

Resnick highlighted that the new strategy aims to contain, slow down and stop adversaries from exploiting the U.S. networks and said that “Compared to today, where an adversary could do an attack and then go laterally through the network, frequently under the noise floor of detection, with zero trust that’s not going to be possible.” He further added that “The target level of zero trust is going to be that ability to contain the adversary, prevent their freedom of movement, from not only going laterally but being able to even see the network, to enumerate the network, and to even try to exploit the network.”

According to the U.S. Department of Defense, the Zero Trust Strategy and Roadmap outlines four high-level and integrated strategic goals that define what the department will do to achieve that level of security.

• Zero Trust Cultural Adoption: All DOD personnel understand and are aware, trained, and committed to a zero trust mindset and culture to support the integration of zero trust. 
• DOD information Systems Secured and Defended: Cybersecurity practices incorporate and operationalize zero trust in new and legacy systems. 
• Technology Acceleration: Technologies deploy at a pace equal to or exceeding industry advancements. 
• Zero Trust Enablement: Department- and component-level processes, policies, and funding are synchronized with zero trust principles and approaches.

All the departments, as well as agencies, are expected to comply with the target level implementation outlined in the Zero Trust Strategy and Roadmap, however, a few departments’ systems have to meet the more advanced level of security.

McKeown said that the national security system may be required to achieve the advanced level for their systems, but stressed that “advanced really isn’t necessary for literally every system out there.” He added that the department wants to “encourage those who have a greater need to secure their data to adopt this advanced level.”