DOD To Begin Reviewing Zero Trust Implementation Plans Next Week

The U.S. Department of Defense (DoD) will begin reviewing a total of 47 zero-trust implementation plans from the military services and defense agencies between October 23 and December 31, according to Randy Resnick, director of the Zero Trust Portfolio Management Office.

Resnick discussed the review process and other upcoming zero trust news with AFCEA International’s Cyber Committee on October 3rd. 

Congress mandated in the National Defense Authorization Act that one year after publication of the department’s zero-trust strategy document that all defense components need to deliver implementation plans illustrating how they will reach each target under the strategy. “That turns out to be the end of this month. We're expecting 47 implementation plans coming to us for review and evaluation. Those 47 documents are going to explain how they are going to achieve target-level zero trust on 100% of their .mil that they own and operate on both the NIPR and SIPR,” he said. NIPR and SIPR are versions of the acronyms for classified and non-classified networks known as the Secret Internet Protocol Router Network (SIPRNet) and Non-classified Internet Protocol Router Network (NIPRNet).

Resnick, whose office falls under the Pentagon’s chief information officer (CIO), said defense officials are required to brief Congress on the plans at the end of January.

Following the initial reviews, the department will give a thumbs up for implementation plans done well and then will monitor progress in the coming years with the goal of achieving zero trust in 2027. “We're going to hold quarterly updates with each one of those 47, and we're going to report stats through our chain of command to the CIO, and ultimately probably up to the DepSecDef [deputy secretary of defense], who's going to monitor this progress,” he added. 

Resnick’s team likely will spread out the reviews over the course of a year rather than attempting to do all 47 each quarter, he clarified. 

The various components will likely be able to pick and choose from three possible zero-trust architecture solutions: baseline, public cloud computing provided by industry or private cloud provided by a government agency, such as the Defense Information Systems Agency or the National Security Agency. “We believe that the DoD is going to come back to the portfolio office, and they're going to explain to us a combination solution that's going to include a little bit at baseline, a little bit of commercial cloud and a little bit of broader class. 

He described baseline zero trust as “augmenting the existing hardware infrastructure that's already laid down in the DoD” in a way that meets the requirements for target-level zero trust. “There will have to be some networks as our baseline. There are just some networks that can't go cloud. If you have, for whatever reason, an old software that can't be moved to the cloud, something that is super critical...then it might have to remain baseline,” he said. “But we’ll see that somebody's falling behind because we're going to know what plans they're choosing based on whether it's cloud or the baseline, and we kind of know where they should be over a period of time in order to hit target by the end of 2027. If they fall under where we expect them, that's when we'll have immediate feedback and get them back on track.

Pentagon officials already are in the process of evaluating both commercial and government cloud solutions in ongoing pilot projects. “We're conducting and performing red team assessments on quality—or just assessments—because it's really purple team. We're testing interoperability and zero trust in the baseline, the commercial clouds and the private clouds because nobody budgeted for these things. We're more nimble. We have the dollars. We have the ability to conduct these pilots,” Resnick reported. “We're going to have four of them run this year with various vendors in combination, four or five vendors together to generate a zero-trust outcome, and then we'll present all that detail to the services.”

Both Microsoft Azure and Oracle Cloud have been tested. The results have not been finalized, but “they seem a little more positive,” Resnick said. Within the next four months, they could assess solutions from Dell and from the National Security Agency.

Regarding identity credential access management (ICAM), the department likely will solve any interoperability challenges by allowing federated, or separate, ICAM systems to feed into one central system. “Our foreign partners and components and agencies, they would rather have, for various positive reasons, their own ICAM system that's interoperable. So, we're going to have federated ICAM communicating to the enterprise ICAM, and what they need to do to federate to the enterprise is documented,” Resnick said. “Some of them are already implementing this interoperability in the ICAM system.”

Additionally, officials intend to standardize data tagging, similar to what the intelligence agencies already have done. “The intel community right now has standards that they're tagging, and they're able to share and do analytics based on those tags because they're standardized. We are working with the data office to come up with what we're calling ECV, economical control vocabulary,” Resnick said, adding that he doesn’t like the term. “But basically, this is a standardized way to do data tagging in the DoD. We're going to be running a pilot, and if it’s positive and successful, we are going to work to implement this across the DoD. We would solve a problem that has existed for the last 12 years.”

Also upcoming is an updated version of the security standards document commonly known as 800-53, which could be publicly released within a week or two. “We're just dotting the i's and crossing the t's,” he said. 

The department also expects to complete a new reference architecture for 5G mobile technology as it relates to zero trust “before the end of the year, and we'll be able to share that with everybody.”

Furthermore, both the Massachusetts Institute of Technology Lincoln Laboratory and Sandia National Laboratories will soon begin working on the next-generation of zero trust and will help resolve any interoperability problems that may arise. 

Lastly, the department may mandate that four zero trust-related courses on the Defense Department Joint Knowledge Online either be made mandatory for individuals or be folded into mandatory annual cyber training. 

Resnick told the AFCEA Cyber Committee members that the department has received very little pushback from the various components on the zero-trust strategy or the delivery of the implementation plans, in part because the zero-trust approach acknowledges that adversaries have already infiltrated the networks. “We already have a pacing challenge in Indo-Pacific Command, and so there's an urgency there to want to get on with it. We are meeting with the components. We've met with them since March. So, everybody's going to be delivering the 47 reports.”