Randy Resnick, senior advisor of the Zero Trust Portfolio Management Office in the DOD, said Wednesday that the department is developing those guidance documents as expansions and variations of the 91 baseline “target-level” zero-trust activities it has already released for industry models to meet.

The new IoT and OT guidance are expected sometime in September, Resnick said at the GDIT Emerge: Edge Forward event, produced by FedScoop.

DOD uses what it refers to as “fan charts,” Resnick said, to lay out the various security controls vendors must build into their zero-trust solutions to meet the baseline for military services and defense agencies. In total, there are 152 controls — 91 at the target level and 61 at the advanced level, which “offer the highest level of protection,” the department said in guidance from 2024.

Resnick said that the fan chart for operational technology is “different” than that of the 91 activities needed to meet target-level compliance, though “there’s a lot of overlap.”

“The number of activities to hit target-level OT is different,” he explained.

For securing IoT systems with zero trust, Resnick said it’s essentially the same 91 target-level activities, plus two additional controls.

Explaining why it was necessary to build out additional overlays for OT and IoT systems, he said the way you respond to an incident is quite different, especially for operational technology.

With OT, Resnick said, “You want to have it fail open, or you want to have it fail in a way that doesn’t disturb or cause more mischief or harm than you want.”

Once those pieces of guidance arrive in September, just one more such directive remains for the DOD to issue: zero-trust overlays for weapons systems, said Resnick.

With the 2027 deadline looming, Resnick said he feels like “we’re in good shape,” especially after his office was spared in recent DOGE cuts, he said.

He explained that the department continues to experience successful pilots with industry that meet target or advanced levels of zero trust. And with more of those solutions taking shape, it’s getting closer to the point where DOD organizations will be able to “just buy it, implement it, install it, and pretty much get there before the end of [2027],” Resnick said.

The hard part will then be installing the solutions, he explained.

“We’re talking professional services and a whole army of people that are probably going to be required,” Resnick said. “We’re talking about full swap-outs and new infrastructures. This is not a small problem … I certainly hope that industry is thinking like that.”

The post Pentagon zero trust guidance for IoT and OT coming in September appeared first on DefenseScoop.

The achievement is a major milestone for DISA’s Thunderdome initiative, which offers a suite of IT and cybersecurity technologies that various agencies across the Defense Department can use as their zero-trust solution. DISA’s validation of Thunderdome comes more than two years ahead of the Pentagon’s deadline to implement target levels of zero trust by the end of fiscal 2027.

“It is a stellar machine system and environment, and there’s a lot of DOD field activities and agencies that are depending on that solution as its [zero-trust] solution,” Resnick said Wednesday during the Defense Acquisition University’s annual Zero Trust Symposium.

Zero trust is a cybersecurity framework that assumes networks are already compromised by adversaries, as opposed to the perimeter-based standards traditionally employed by the DOD. Rather than establishing a protective cybersecurity boundary over its networks, zero trust requires the Pentagon to integrate new capabilities that can constantly monitor and authenticate its networks and users as they move through them.

The DOD’s 2022 Zero Trust Strategy outlined a minimum set of 91 capability outcomes that agencies and components must meet to achieve “target levels” of zero trust no later than Sept. 30, 2027. The strategy also provided an additional 61 activities that are required to meet what the Pentagon considers “advanced levels.”

Resnick said DISA’s Thunderdome achieved a “perfect 152 out of 152,” meaning the solution is the second to hit all of the department’s ZT capability outcomes. The Navy’s cloud-based Microsoft Office 365 platform — known as Flank Speed — was the first zero-trust solution to achieve advanced levels, and met all 152 requirements earlier this year.

“Thunderdome is the Defense Information Systems Agency’s (DISA) comprehensive ZT solution,” Chris Pymm, Thunderdome portfolio manager at DISA, told DefenseScoop in a statement. “Recently, the Department of Defense DOD CIO purple team has validated that Thunderdome provides advanced level ZT across all 152 activities in DOD’s ZT model. What’s more, organizations can leverage DISA’s Thunderdome procurement vehicle to meet their integration ZT needs.”

According to the agency, the Thunderdome solution leverages enterprise identity credential and access management (ICAM); commercial secure access service edge capabilities; and software-defined wide area networking and security tools.

In 2022, DISA awarded Booz Allen Hamilton a $6.8 million other transaction agreement to prototype Thunderdome, which was later extended to include the Pentagon’s classified Secure Internet Protocol Router Network (SIPRNet). Following 18 months of development, the company received a follow-on production contract in 2023 to transition the solution into full deployment. 

The award is structured as an indefinite delivery/indefinite quantity (IDIQ)-like award to allow for other Pentagon agencies and departments to leverage the OTA over a five-year period. The contract has a total ceiling of $1.86 billion.

Pymm said that Thunderdome “will complete the DISA terrain in June of this year.” The effort’s zero-trust capabilities will be scaled to defense agencies and field activities via the broader migration of users to its new modernized network, known as DODNet, he added.

In fiscal 2025, Thunderdome will be fielded to the Defense Contract Management Agency, Defense Contract Audit Agency, Defense Logistics Agencies, Defense Media Activity, Defense Finance Accounting Service and the Defense Microelectronics Activity.

Moving forward, DISA plans to deploy the capability to the following agencies and organizations in fiscal 2026: Defense Threat Reduction Agency, Joint Staff’s J-6 directorate, Defense Advanced Research Projects Agency, Missile Defense Agency and Defense Manpower Data Center.

Updated on April 2, 2025, at 5:25 PM: This story has been updated to include more information from DISA about plans for Thunderdome and statements from Chris Pymm, Thunderdome portfolio manager.

The post DISA’s Thunderdome achieves advanced zero-trust goals appeared first on DefenseScoop.

The Pentagon’s zero trust portfolio management is moving quickly to assess and validate zero-trust solutions created by industry vendors to reach what it considers “target levels” of zero trust before the end of fiscal 2027. The cybersecurity framework assumes networks at any given time are compromised by adversaries, and therefore the department needs tools to constantly monitor and authenticate users and their devices as they move through a network.

But there is currently no method to continuously assess those solutions after they are fielded to DOD components to assure the architecture works the same as it did when it was first authenticated, according to Randy Resnick, director of the Pentagon’s zero trust portfolio management office.

“What we need is a tool … that is constantly going after [zero trust] infrastructures, that is constantly testing against that configuration that was passed,” Resnick said Tuesday during a presentation at AFCEA’s TechNet Cyber conference. 

Resnick’s office is now formulating a five-step process that will assess and validate a zero-trust solution before it is able to be procured by DOD components, and then use that assessment to independently and continuously test the infrastructure to ensure it is still properly protecting the network, he said.

Much of the Pentagon’s independent assessment process is conducted via purple teaming, a method that tests and analyzes both how adversaries and cyber defenders move and interact in the environment. However, Resnick said there is a “tremendous effort” to reduce the amount of purple teaming done for zero trust implementation.

“We don’t have enough time; we don’t have enough people. It is a drain — they have other missions that they need to do,” he said. “But if we can figure out a way to truly, independently test in a portable way and work in an industry environment, a neutral environment, something that costs extremely little, … that is relatively quick [and] where we could accelerate the number designs to throw into purple teaming — that’s what we’re looking for.”

Prior to going through the process, vendors will be required to tell the department how many zero-trust activities their proposed solution will achieve. The Pentagon’s 2022 zero trust strategy outlined 91 activities that cover minimum data security requirements for target levels of zero trust and an additional 61 activities defined as the full set of capabilities for “advanced levels.”

Vendors would then move through the first three steps of the process, each of which involves multiple assessments and tests of the proposed zero trust solution to validate whether it meets target levels and create a baseline infrastructure that will be used to compare the design against once it’s deployed. 

First, vendors will use a zero trust readiness assessment tool to evaluate their solution to determine if there are any gaps or additional activities it needs to reach, Resnick explained. Then, the solution will go through an automated threat-based cyber assessment in a simulated lab specifically configured to test the environment based on its design and intended threat environment, he said.

In the third step, advanced persistent threat teams would conduct independent “purple team assessments” of the zero-trust solution that test and analyze both how adversaries and cyber defenders move and interact in the environment. Using data from the previous two steps, teams would create a tailored and detailed test plan to complete a robust examination of the zero trust solution and produce a “purple team report,” Resnick said.

If the report determines a vendor’s solution meets zero-trust target levels, “we’ll make a recommendation to the DOD [Chief Information Officer] to give it a thumbs up for the DOD to approve that configuration for employment and procurement,” he said. “That would be the gate to allow the components to assuredly procure target- or advanced-level ZT solution prior to 2027.”

The goal is to create a “menu of solutions” that DOD components can eventually choose from across all three courses of actions outlined in the zero trust strategy’s capability execution roadmap, Resnick noted.

The approved solution would then move into step four, which is the zero trust overlays for the risk management framework, he said. The guidance document describes how to apply security controls across the Defense Department through a phased implementation approach, helping standardize overall zero trust adoption and develop capability gap analysis for officials.

Finally, the Defense Department will use a continuous monitoring assessment tool configured to monitor for configuration drift and other potential issues. Configured with all 152 zero trust activities, the tool will run over 300 attacks a day on the infrastructure and compare it to the baseline created earlier in the approval process, according to a chart shown in the presentation. If a solution strays too far from its known design, officials at Joint Force Headquarters – Department of Defense Information Network will be notified of the breach, Resnick said.

“Conceptually, we believe that this spectrum creates repeatable processes that are independent enough to allow creativity [and] innovation, but it has certain government checkpoints where everybody has to meet, where the output leads into another thing,” he noted. “This way, we think we’re going to get the best designs implemented in the Department of Defense.

The post DOD working on continuous assessment process for deployed zero-trust solutions appeared first on DefenseScoop.

In 2022, the Defense Department released its first strategy and a reference architecture for operating under zero trust — a cybersecurity concept that assumes networks are already compromised by adversaries, meaning the Pentagon must constantly monitor and authenticate users and their devices as they move through a network.

The strategy outlined what it considers “target levels” of zero trust, which are a minimum set of 91 capability outcomes that agencies and components at the department must meet to secure and protect networks. The Pentagon’s goal is to achieve those target levels no later than Sept. 30, 2027.

Despite the seemingly aggressive timeline for introducing an entirely new cybersecurity concept across the department, different IT officials at the Defense Department said this week that they are on track to meet the deadline.

“We’re clearly in the implementation phase,” Dave McKeown, DOD chief information security officer and deputy chief information officer for cybersecurity, said Wednesday at the Defense Acquisition University’s Zero Trust Symposium. “We’ve done a lot of planning, we’ve tried to educate the force, we’ve gotten the plans all submitted. And now, we’ve got to move into execution.”

Hit the ground running

To help streamline zero trust adoption across the enterprise, the Pentagon established a zero trust portfolio management office led by Randy Resnick. During the remainder of fiscal 2024 and into fiscal 2025, the office plans to rapidly move out on developing zero trust proof of concept pilots, with at least 15 pilots already lined up, Resnick said Tuesday during the symposium.

Getting the pilots off the ground will hopefully mitigate any apprehension about the possibility of implementing zero trust by 2027 that Pentagon components may have, he noted.

“If we start generating potential solutions that have been independently assessed, and validated to hit target, then we’re showing that this assemblage of vendors or products put together in a certain configuration can actually deliver the results that we see coming out of zero trust,” Resnick said. “And so, it would be then up to the components that decide what they want to do next.”

While the goal is to adopt zero trust across the department, officials have emphasized that there is no one-size-fits-all approach to implementation. To that end, the zero trust strategy provided a capability execution roadmap with three courses of action (COAs) that agencies and components may take.

Resnick said the 15 pilots planned by the portfolio management office will focus on COA 1, which uses a brownfield approach by adding new technology to existing IT infrastructure.

In the future, the office wants to launch pilots for COAs 2 and 3 — which will leverage zero trust-compliant commercial cloud capabilities and government-owned clouds, respectively. McKeown said DOD is working with industry on those COAs, stressing to them the importance of having integrated solutions that meet target-level requirements.

The Pentagon CIO’s office will also continue work in facilitating assessments of vendor zero trust technology and integration, Resnick noted.

Companies are being asked to independently integrate and test their products to see if they reach target levels of zero trust. If those companies feel they have achieved the necessary requirements and the Defense Department agrees with the assessment, the vendors will be invited to participate in “purple team assessments” that test and analyze how both adversaries and cyber defenders act in the environment, Resnick explained.

If the integrated system meets target levels of zero trust or higher, then the Pentagon can officially give it the green light via adjudication, he said.

“It’s an important element of approval because that would give a signal to DOD and any other customer that this configuration with these hardware and software … delivered to us target-level [zero trust],” he added.

Conducting red, blue and combined purple team assessments of the environments is critical to delivering integrated zero-trust solutions, McKeown said.

“We have fielded lots of good cybersecurity tools throughout the [DOD Information Network] over the past decades. All of these tools served a purpose, but were not well integrated,” he said. “Integration is the key to making all of the tools work more synergistically together and improving the effectiveness of our cyber defenses.”

A need to go faster

As it continues to move forward with zero trust implementation, the DOD CIO’s office is incorporating mechanisms that aim to speed up the process and keep efforts on track for the 2027 deadline.

A key lesson came in recent months when the portfolio management office reviewed and approved the first zero trust implementation plans that each DOD agency and component submitted. The CIO’s office is requiring individual components to create and submit these implementation plans each year by October.

Resnick said his office approved all 39 of the submitted plans in January and then provided an update to Congress based on those reviews in March. It was an effort that required a lot of back-and-forth communication with each component and took 35 full-time employees three-and-a-half months to complete, he noted.

Now, the portfolio management office is looking at how it can automate the process for future years, Resnick said.

“It was a tremendous effort. We did it once, and the lessons learned here was that we really can’t repeat this process. It is untenable,” he said. “We need to automate the assessment process. We need to put it in electronic form where we could actually apply AI tools to actually ask questions and to achieve answers based on the submissions, and that’s where our head is going right now.”

In addition, DOD CIO John Sherman said that he is working to improve the authorization (ATO) and continuous authorization (cATO) processes that are used to minimize and manage cybersecurity risk responsibility for software systems.

Speaking Tuesday at the symposium, Sherman said it is likely that guidance on “reciprocity by default” will be released that will address the lengthy time and repetitive efforts associated with ATOs.

His office is also working on evaluation criteria for cATOs, with a draft already outlined and plans to talk with each of the services about their own cATO evaluation criteria underway, he said.

“It takes too long to get software deployed and other capabilities. And these are patriotic Americans working hard to do the right thing by implementing the [risk management framework], but we’ve got to do better on this,” Sherman said.

Reaching target levels and beyond

Although the Defense Department believes it is on track to reach target-level zero trust by 2027, Sherman highlighted that it still has plenty of work to do ahead of the deadline.

For example, the Pentagon has long discussed implementing an enterprise solution for identity, credential and access management (ICAM) — considered a key component of zero trust. The CIO’s office is still evaluating options for a federated ICAM solution, Sherman said. 

Another ongoing effort is implementing zero trust practices in cloud environments, he added. The department is currently working with all four cloud services providers contracted under the Joint Warfighting Cloud Capability (JWCC) contract — Microsoft, Oracle, Amazon Web Services and Google — to conduct red-teaming assessments and understand zero trust in the cloud, he said.

The Pentagon is also continuing its investments in zero-trust capabilities and expanding the pool of vendors able to offer cyber protection, starting with endpoint security, Sherman noted. The department is already using Microsoft Defender for Endpoint — an enterprise endpoint security platform — for unclassified networks and plans to eventually use it for the secret level as well.

“There will be other opportunities for other cybersecurity service companies for other parts of the enterprise, for non-Microsoft endpoints,” Sherman said. “As we look at [operational technology] and elsewhere — as we expand zero trust out — we’re going to use other companies as well. We do not have a monoculture on one company here.”

As for what happens after the 2027 deadline, the Defense Department is already thinking about how it will implement what it refers to as “advanced levels” of zero trust cybersecurity — as well as other use cases for the architecture.

While target levels cover minimum data security requirements, advanced levels are defined as the achievement of the full set of capability outcomes. Along with the 91 activities that are needed to reach target zero trust, advanced levels will require an additional 61 activities, according to the DOD’s strategy.

“This is not a one and done. We’ve got the target-level zero trust and then the broader implementation of zero trust five years later,” Sherman said.

The Pentagon is also exploring how it will leverage zero trust beyond its information technology infrastructure, such as on weapon systems.

“It’s one thing to do this on networks, it’s another thing to do it on a weapons system or weapon platform, on operational technology, on [supervisory control and data acquisition systems] and so on,” he said. “It’s gonna be a bit of a lift there too. We’re gonna have to figure out how to do this as well because we know their threat vectors there.”

The post With 2027 deadline looming, DOD moves into implementation phase of zero trust transformation appeared first on DefenseScoop.

Broadly, zero trust refers to a cybersecurity concept and framework that requires non-stop monitoring and constant authentication to secure critical national security information — and assumes all networks are compromised from the get-go.

“We published a reference architecture, a strategy and an implementation plan. The strategy and implementation plan do clearly define what we mean by ‘zero trust’ in the Department of Defense. We have two different layers of achieving zero trust — one is targeted, and the other is advanced. We want to achieve targeted zero trust by 2027. We are an extremely large organization with many networks, and while 2027 may not seem that aggressive, it is super aggressive for us to try to get there by that date,” DOD’s dual-hatted Deputy Chief Information Officer and Cybersecurity and Senior Information Security Officer Dave McKeown said.

During his keynote session at the Zero Trust Summit presented by CyberScoop on Thursday, McKeown provided fresh updates on all that’s currently underway for his team in this pursuit, and he discussed how they aim to soon expand the focus beyond traditional networks and move toward implementation across other types of systems as well. 

“As you would probably agree, the construct of zero trust is important no matter what the network is and no matter what the platform is — medical systems, weapons systems, critical infrastructure — we want to be cognizant of that and finish towards that,” he explained.

DOD points to three methods for achieving zero trust, McKeown also noted. Those include: understanding and uplifting the current environment, leveraging cloud services, and using purpose-built on-premises solutions.

The department’s strategy for achieving zero trust for the target level by 2027 is built around 91 activities.

“What have we done since we implemented the strategy? Well, Congress wanted us and the services to brief them on our overarching plans, so we have been working on those,” McKeown said. 

In November, all Defense Department agencies and military services submitted roughly 40 different cybersecurity approach plans to his team for review.

“We were very, very helpful to them. We gave them the outline of what we wanted them to see back and asked questions in the outline, so that when they delivered their plans back to us all of the things that we needed to see were there. We followed up with them once we received those outlines, and they were very good. I will tell you — the maturity of the understanding of zero trust and what we’re trying to achieve is strong within the department,” McKeown said.

There was a bit more back and forth after that and all the updates that were recommended were eventually made, and then those final plans rolled in at the end of January.

“And we’re now we’re going to create an integrated master schedule — my team is, the Zero Trust Portfolio Management Office that’s led by Randy Resnick — based on all those inputs that we came up with, with Congress, we’re gonna move from the planning phase and educating phase into the implementation phase over the next three years,” the deputy CIO noted.

Once those officials have that completely set integrated master schedule, they’ll focus on enabling appropriate zero-trust training across the department.

“We partnered with the Defense Acquisition University to develop training modules. And they go around conducting live-training events to educate people on what zero trust is. This is a huge effort to shift the whole entire department to a new paradigm for cybersecurity, so the training is totally vital,” McKeown said.

The post Deputy CIO gives updates on Pentagon’s ‘aggressive’ plan for achieving zero trust by 2027 appeared first on DefenseScoop.

Zero trust is a cybersecurity concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

The services and other DOD components are due to submit their proposals to the Pentagon’s zero-trust portfolio management office by Oct. 23, a congressionally mandated deadline that will come a year after the department released its zero-trust strategy.

Officials will “spend the next four to six weeks, probably six weeks, analyzing every one of those plans and measuring the success of those plans on whether or not they’re giving us the information so that we know every single component is going to be hitting target-level zero trust or higher by fiscal ’27 or earlier,” Randy Resnick, director of the zero trust portfolio management office within the DOD chief information office, said during a panel at the Cyber Beacon conference Thursday hosted by National Defense University.

“We’re going to get all this data. We’re going to be really busy, heads down. But at the end of the year, let’s say mid-December, we’ll have a really good picture of exactly where the department sits on that. We’re going to be briefing Congress in January, third week in January, about the results of it [and] how the DOD is going to approach zero trust,” he added.

Resnick said over the last year, there has been little ambiguity over what his office wants from the components, noting that it has held frequent meetings on a monthly and quarterly basis, including one-on-ones.

He added that 80 to 90% of DOD components will likely meet or exceed expectations but there might be some they have to assign some additional work to update sections or improve certain aspects. Those updates will need to be returned within a week given the portfolio office will be “under the gun” to get plans finalized by the end of the year and be prepared to brief Congress in January, Resnick said.

The post DOD to brief Congress early next year on zero-trust progress appeared first on DefenseScoop.

Last fall, DOD released its zero-trust strategy as well as its reference architecture. Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

The strategy laid out a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data. The strategy states the DOD must get to the target level as soon as possible. Once that is achieved, the Pentagon will monitor continued compliance to get to advanced zero trust, which the document defines as the achievement of the full set of capability outcomes.

The goal is for the department to achieve the target level by 2027.

The strategy provided a roadmap for how organization can achieve zero trust, but officials have been very clear from the start that there are multiple potential pathways. As a result, there will be several different approaches.

“I’ve used the term pick your own adventure on some of this … I suspect each of the components — matter of fact, I know they are — taking a little bit different path to get there,” John Sherman, DOD chief information officer, said at the Billington Cybersecurity Summit on Thursday.

These organizations will be submitting their plans to the zero-trust portfolio management office, led by Randy Resnick, next month, according to Sherman, who described it as a “very important milestone” to start the assessment.

“Between October and the holiday period, Randy and his team are going to be reviewing what these plans look like, consistent with what we’ve laid out with the capabilities, the 91 capabilities, that gets targeted zero trust by 2027,” he said.

The post DOD to review agencies’ zero-trust proposals over the next few months appeared first on DefenseScoop.

Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information. The DOD’s strategy aims to get the department to such an architecture by 2027.

Under the plan, there are two levels of zero trust: a target level and advanced level. The target level is the minimum set of capability outcomes to secure and protect data and requires the delivery of 91 activities. The advanced level requires a total of 152 activities.

The Pentagon recently approached the four vendors awarded under the Joint Warfighting Cloud Capability (JWCC) contract to test if achieving zero trust to the “target level” in the cloud is possible.

“We could do zero trust in the cloud on any one, two, three or all four. This would automatically speed up adoption of zero trust in the DOD,” Randy Resnick, director of the Zero Trust Portfolio Management Office, said at the Zero Trust Summit hosted by CyberScoop on Thursday. “The five-year plan could potentially become one year. You could spin up a cloud in days.”

While other factors still must be met, such as moving users and applications, Resnick said the foundational zero-trust pieces will be there almost immediately.

“This is an accelerator for us and so we’re eager to see whether or not we could do this. We’ll test it in the field and produce final report,” he said. “I’m hoping that by the end of the calendar year, certainly maybe by the end of the fiscal year, we’ll have real data that could tell us whether or not we could do different clouds.”

Resnick also wants to see more and faster acceleration to the cloud because it offers better security.

“From a centralized location, you could do patching and updating, everybody gets the same thing. We would like to see that acceleration to the cloud, especially with zero trust,” he said.

When it comes to other aspects of getting to zero trust, Resnick said there are challenges associated with identity, credentialing and access management (ICAM).

“There are challenges in the ICAM world if you want to go beyond target into the advanced areas of zero trust. You will find if you study the documents, we require more from the ICAM system that exists today,” he explained. “This is acknowledged and understood today. We have programs and projects going on right now, fully funded with DISA and NSA to improve the ICAM systems in the DOD.”

When Resnick’s office was first established, part of its mission was to provide foundational documents for zero trust given nothing existed to date.

Now, he’s challenged his team to figure out what the National Institute of Standards and Technology 800-53 controls for risk management should be for zero trust, because that had not been done before.

Resnick’s team has been working on this task since October and is close to finishing its draft.

“I believe we’re going to have something to potentially share in the summertime, but it still requires a lot of coordination and approval processes through DOD and elsewhere,” he said. “But we will eventually this year present our interpretation of 800-53 in terms of zero trust, for public commentary.”

The post Pending cloud pilot could get DOD to zero trust in a year rather than five appeared first on DefenseScoop.

Zero trust is a concept that essentially assumes networks are already compromised and requires organizations to validate users, devices and data continuously. The DOD released its zero-trust strategy in October, which outlines three courses of action: institute zero-trust modernization improvements on the existing network, engage in zero-trust commercial clouds, or engage in a zero-trust privately designed cloud.  

It also defines a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data and requires the delivery of 91 activities. Advanced level requires a total of 152 activities.

The Pentagon plans to lean on Amazon Web Services, Google, Microsoft and Oracle — all of which were recently awarded the Joint Warfighting Cloud Capability (JWCC) contract worth up to $9 billion — to test if achieving zero trust to the “target level” in the cloud is possible, according to an official overseeing the effort.

When the DOD was looking at what commercial clouds exist, the zero-trust portfolio management office decided to ask the four cloud service providers — which will be competing for JWCC task orders — if they could implement zero trust at the target level within their cloud infrastructures, according to Randy Resnick, who leads that office.

“We got four different answers, because every infrastructure is made up of different capabilities in each one of those companies,” he said during a webinar Thursday hosted by Billington Cybersecurity. “To our satisfaction, at least on paper, they said to us that all of them could meet target-level zero trust and that many of them could approach almost the entirety, if not the entirety, of full zero trust, which we’re calling ‘advanced.’”

Now, the plan is to put those providers to the test later this year to see if they can actually do it.

“In the spring and summer, perhaps fall, depending on whether or not we have to go back for round two, we’re intending on testing all four of those CSPs … with their zero trust overlays for what they believe they’re telling us they could do at the target level,” he said.

National Security Agency red teams will attack the cloud infrastructure, allowing the DOD to determine if they can get in and exploit the data.

“That’s going to give us a really good feel on whether or not the zero-trust overlays are implemented correctly in any one, two, three or four of those [cloud service providers]. And that’ll give us a way forward for recommending to the DOD whether or not we could do zero trust in the cloud,” Resnick said. “If we speed ahead and we come to the conclusion that, in fact, it can be done, it would be absolutely revolutionary, because this means now that we can basically spin off a zero-trust cloud in a future DOD instantiation and that would already be built in with zero trust as part of its foundation.”

Resnick noted that this approach reduces risk, cost and simplifies moving to a zero-trust approach.

The post JWCC vendors to test zero-trust concept in commercial cloud appeared first on DefenseScoop.

To track how the services and other Defense Department agencies are moving towards fully implementing zero trust by 2027, DOD leaders will be asking them to show how much they’re spending to get there.

“We will hold them accountable by asking them to build a plan, which … [the Zero Trust Portfolio Management Office] will coordinate with them on the realistic nature of their plan. As a part of that capability planning guidance that we talked about earlier they have to come back to us and show us in their budgets how much they’re spending on zero trust and what they’re getting for that,” David McKeown, acting principal deputy chief information officer, told reporters Tuesday when the strategy was unveiled.

The strategy was officially signed out in October but the public version wasn’t released until the completion of a review to sanitize it of classified components.

Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

Officials have maintained the old paradigm of perimeter defense is no longer sufficient to protect against modern day threats.

“Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users,” John Sherman, DOD chief information officer, wrote in the strategy’s foreword. “Defending DOD networks with high-powered and ever-more sophisticated perimeter defenses is no longer sufficient for achieving cyber resiliency and securing our information enterprise that spans geographic borders, interfaces with external partners, and support to millions of authorized users, many of which now require access to DOD networks outside traditional boundaries, such as work from home. To meet these challenges, the DOD requires an enhanced cybersecurity framework built upon Zero Trust principles that must be adopted across the Department, enterprise-wide, as quickly as possible as described within this document.”

Randy Resnick, who leads the Zero Trust Portfolio Management Office, told reporters that senior officials will hold directors of agencies and field offices accountable for implementation over a period of time.

Organizations can do this in three ways, officials said: institute zero-trust modernization improvements on the existing network, engage in zero-trust commercial clouds, or engage in a zero-trust privately designed cloud.

“We are not prescriptive. As you read this strategy, we are not defining exact components that people have to buy [or] specific software or anything like that,” McKeown said. “We are defining capabilities here and we’re leaving it up to the services for how they implement those and integrate them together in order to achieve the desired zero-trust level … It’s been like pushing on an open door to try to get people to go to this. They see the need for it. The perimeter defenses were not working. Zero trust is the new alternative to better monitor and respond quicker to intrusions.”

The strategy provides the “how” for getting to a zero-trust architecture, he added.

The strategy defines a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data. The strategy states the DOD must get to the target level as soon as possible. Once that is achieved, the DOD will monitor continued compliance to get to advanced zero trust, which the document defines as the achievement of the full set of capability outcomes.

The DOD plans to reach the target level in the next five years, by 2027.

Resnick explained there shouldn’t be any major technical items that are unachievable to get to the target level.

“It’s just a matter of leadership’s ability to execute,” he said. “We have the dollars and every single year, we’re doing a review of what’s required going into the next years in the [future years defense program] to make sure that this is well-funded.

The strategy lists seven pillars which provide the foundation areas for the model: user, devices, applications and workloads, data, network in the environment, visibility and analytics, and automation and orchestration.

The plan also includes four high-level strategic goals for how DOD will achieve its zero-trust vision. They include zero-trust cultural adoption, DOD information systems secured and defended, technology acceleration and zero-trust enablement.

The strategy notes there will met metrics to ensure progress toward achieving a zero-trust architecture within the aforementioned goals. A scorecard will be provided to the DOD cyber council to measure the plan’s progress and identify additional risks that need to be mitigated.

The post DOD will be checking agencies’ budgets to track implementation of new zero-trust strategy appeared first on DefenseScoop.