DOD to Offer Zero Trust Architecture This Year

The U.S. Defense Department by the end of the calendar year will release an initial zero trust architecture to improve cybersecurity across the department, says Vice Adm. Nancy Norton, USN, director, Defense Information Systems Agency, and commander, Joint Force Headquarters-Department of Defense Information Network.

Norton’s agency, commonly known as DISA, is working with the National Security Agency, the Department of Defense (DOD) chief information officer and others on what she calls an initial “reference” architecture for zero trust, which essentially ensures every person wanting to use the DOD Information Network, or DODIN, is identified and every device trying to connect is authenticated.

VADM Nancy Norton, director, @USDISA, reports that DISA and others in the department are working on a #ZeroTrust #cybersecurity reference architecture to be released before the end of the calendar year.#AFCEA pic.twitter.com/b7seQzYu2i

— George Seffers (@gseffers) July 15, 2020

“DISA is working with NSA and the ZT [zero trust] team to develop the initial zero trust reference architecture that will be out sometime later this year, and the Army will be able to use that, as well as DOD components, to guide them along the way in best practices for zero trust architecture,” she said while addressing the audience for the Army’s virtual 2020 Signal Conference, hosted by AFCEA.

Zero trust is expected to eliminate the traditional network-centric security model for the department. “This paradigm shift from a network-centric to a data-centric security model will affect every arena of our cyber domain, focusing first on how to protect our data and critical resources and then secondarily on our networks,” she said. “Under our traditional defense-in-depth approach, we have tried to make the DODIN trusted and safe territory. Under our new zero trust model, we will always assume that our internal networks are as hostile as external networks.”

The shift to a zero trust architecture will be a significant change for the department. “This changes a fundamental premise that denies all [network access]  and allows by exception rather than allowing all and denying by exception,” Adm. Norton added.

The change is needed because the Defense Department is constantly inundated with cyber attacks. “State and non-state actors try to attack our networks every day, and that attack surface spans the world across every service, combatant command and warfighting domain. This is a no-fail mission for our nation and its warfighters,” she declared. “Joint Force Headquarters-DODIN directs the defensive actions for millions of events across the attack surface of our DOD networks every day. Clever adversaries try to steal our credentials, escalate privileges and exfiltrate our data. That’s why we’re embracing zero trust—to prevent data breaches.”

VADM Nancy Norton, director, @USDISA, says the pandemic has higlighted the need for Zero Trust #cybersecurity.#AFCEA

— George Seffers (@gseffers) July 15, 2020

And the old, network-centric model is no longer enough, she indicated. “In the traditional perimeter or castle-and-moat approach to defending our networks, if our adversaries make it across the moat, they have free reign inside the castle. We are working to end that.”

The initial reference architecture is being built and tested in the Joint Interoperability Test Command Laboratory and will be used to “align core capabilities needed for zero trust and guide our lab testing,” she said.

While specific products that represent portions of the department’s current enterprise network capabilities will be tested to support reference architecture development, the objective is to develop a vendor-agnostic solution. “This work will inform and guide the department’s efforts to evolve toward a next-generation architecture. It will align cybersecurity and IT efforts to optimize tailorable, risk-based decisions based on performance and security. It also will serve as a framework and architecture to guide cultural change in how we operate and defend our information environment.”

The new architecture will take advantage of existing capabilities while incorporating new principles, analytics, policies, devices and automation. “It won’t replace many of our current systems, tools or technologies, but it will enable us to take a more holistic approach to integrating, augmenting and optimizing existing functionality to evolve our enterprise architecture,” Adm. Norton explained.