DoD Implements Zero Trust With Comprehensive Evaluation

As the Department of Defense (DoD) cautiously races toward zero trust (ZT), it prepares to implement a system and order from industry.

“The whole idea is to have zero trust in zero trust,” said Randy Resnick, senior advisor, Zero Trust Portfolio Management Office, Office of the DoD Chief Information Officer.

The Zero Trust Portfolio Management Office is introducing a repeatable process for evaluating ZT developed over several months. The office established goals, strategies and documents for ZT centered around stopping adversaries' exploitation of DoD data and networks. They created a plan, including training, industry collaboration and assessment tools, Resnick told the audience on Tuesday at the defense technology event, TechNet Cyber.

The office laid out “a learnable, repeatable process for independent assessments that goes all the way through development, through testing, through an ATO [authorization to operate], through operations,” Resnick said.

The process starts with a self-evaluation.

“What we built is 220ish questions that would be eventually on a cloud that's going to ask you questions on your design for zero trust. It's going to get into the design itself, the components, the activities that you believe you hit, the ZT controls and a whole bunch of other things,” Resnick explained.

This process will help participants understand their strengths and weaknesses, as well as request exhaustive information to provide the office with a clear picture of the potential role a supplier could have, according to Resnick.

“You can't really game it because it's 250 questions, and the odds are that you have to pretty much lie on a lot of them to skew the results,” Resnick explained.

At the end of this process, suppliers should have a clear picture of the adjustments required to iterate improvements.

Another aspect is aggressive attacks on solutions.

Resnick criticized approaches where one red-team attack is performed on any given solution and said he encouraged independent and sustained action.

“I want three weeks or a month on station with these red team solutions,” Resnick said.

This means that attacks, as well as defenses, would continue their operations to understand in depth how to go against, and defend, each ZT implementation.

These groups of red and blue experts, purple teams Resnick called them, will be National Security Agency-approved.

“We have DoD purple teams, which is truly independent rather than what the vendor of vendors say something meets. In this way we think we're going to get the best designs implemented in the Department of Defense,” Resnick said.

Once solutions are considered robust enough, the approval process will go back to DoD authorities for a final signature and complete the ATO process.

“What we want to do, we want to slide in zero trust in existing [ATO] processes, which will be sped up by others,” Resnick explained. Once everything is read for final approvals, Resnick expects all internal stakeholders to align and complete the process.

Resnick addressed another factor, as ZT implementations mean a disruption in current processes.

“We had no training for zero trust,” Resnick said and stressed the importance of implementing programs for different stakeholders engaging these solutions. He urged businesses to follow suit, as learning creates awareness and changes culture.

Resnick explained shifting the DoD toward ZT had been a tough feat, but leadership supported this change.

“Imagine the DoD being a really big ship with the smallest rudder you ever saw in your life. Try to turn that ship,” Resnick joked and detailed how support came from the top echelons of DoD.

Additionally, the office influenced global allies and U.S. agencies and is pushing for standardized, independently tested zero-trust solutions by 2027, ensuring continuous assessment and improvement, according to Resnick.

TechNet Cyber is an annual event held in Baltimore, Maryland, organized by AFCEA International. SIGNAL Media is the official media of AFCEA.