Implementing Zero Trust is a "never-ending journey" that will require continual evolution of cyber capabilities, according to a top Pentagon official.
The Department of Defense (DOD) recently finished more critical steps in its Zero Trust transformation, completing reviews of more than 39 implementation plans and preparing 15 pilots to shift the enterprise's cybersecurity stance away from a perimeter-based model.
"What we need to do is really get to that endpoint state where we can actually start to limit [adversaries'] movements all the way inside our infrastructure. So we're really moving the boundary to the user—right as close to the user as possible," Gurpreet Bhatia, the DOD principal director for cybersecurity and deputy chief information security officer, told the April Adapt 2024 conference in Washington, D.C.
The DOD and military services are staring down a fiscal 2027 deadline to comply with "target" level requirements outlined in the DOD Zero Trust Strategy. This massive overhaul includes orchestrating changes in more than 15,000 networks plus operational technology and critical infrastructure around the globe despite technological challenges and resource and training questions. Then officials must tackle the strategy's "advanced" requirements.
The End State
The department strategy outlines three main courses of action: upgrading legacy infrastructure, adopting commercial clouds, and implementing on-prem capabilities for private instances of those clouds. This vision requires deeply integrated and interoperable tools with advanced visibility and analytics capabilities.
"The whole goal is to have an amorphous environment where you have this hybrid environment of commercial cloud, public cloud legacy. All of it exists together with data seamlessly flowing, identities seamlessly flowing," Bhatia said.
The Zero Trust Portfolio Management Office (PMO), the central authority on the effort, takes a holistic approach to Zero Trust pillars and created a Zero Trust checklist as foundational guidance:
- DOD officials must first take inventory of their network users to implement strong authentication standards for people and other entities.
- Each DOD component must then develop an inventory of all devices that touch the network so IT teams can effectively monitor and control endpoints.
- Thorough and complete inventories of users and devices are then paired with a secure ICAM solution to create a trusted space for users and a transparent environment for the DOD. The result offers the DOD an unparalleled understanding of who and what are touching their networks and a way to spot anyone or anything that shouldn’t be there.
Officials then review implementation plans to ensure that the plans include details on technology pieces and outline resource and policy governance and training environments. The Zero Trust PMO acts as a shepherd, herding components in the same direction rather than letting them go rogue.
"We're trying to make sure that we walked through how to guide everybody in a very consistent way, rather than everybody independently going off and saying, 'I found the ZT nirvana' and 'I found the ZT solution,' which we got a lot of those pitches," he said.
The Innovation Wishlist
Bhatia said he wants to build "high-speed public/private partnerships" based on transparent conversations about what innovations the department needs. DOD officials see a way to shorten acquisition cycles by speeding up authority-to-operate processes and pushing for reciprocity to allow for re-use.
As officials combed through implementation plans, they found areas where they'll need help from industry partners to facilitate seamless data sharing. Federated identities and Identity, Credential, and Access Management (ICAM) services, for example, have been persistent areas of struggle. DOD recently updated two ICAM policies, but it's still working through how to tap master records or other solutions that work across commercial clouds and private infrastructure.
"This is the way I narrow down Zero Trust for myself: I think about it as having the right identity to authenticate and authorize users as they need—whatever they need, wherever they need it," he said. "It's really about the data."
Interoperability will be paramount, not just between DOD components and military services. DOD is finalizing federation agreements with NATO and Five Eyes allies and will need to support collaborations with other U.S. federal partners.
To quickly infuse the DOD enterprise with advanced security capabilities, DOD recently invested in Microsoft 365 E5 licenses and is searching for other tools that plug into the environment.
"What we want to emphasize, though, is that that's one piece of our puzzle," Bhatia said. "We need lots of other solutions that will help us drive and a complete coverage of our Zero Trust enterprise across the board."
Rather than a single tool, DOD officials want an integrated view of their many solutions to maximize cyber capabilities.
The Next Evolution of Cyber Defense
As the department pilots Zero Trust implementations, officials will examine how best to assess those capabilities. "We're really trying to work with all of our assessment teams across the board—red and blue—to make sure that we have a collective assessment that allows us to see how well our countermeasures really work and do their work," he said.
However, successful implementation will rely on cyber defenders understanding their roles and responsibilities as the department shifts to rapid incident response and recovery mode methodologies. Cyber professionals range from local defenders to cloud service providers, all of whom need to be equipped and trained to use tools in a timely manner.
"I remind my team constantly that this is a never-ending journey," Bhatia said. "It just goes on forever and ever until we get to the next evolution of Zero Trust—whatever that looks like.”
