WASHINGTON — The Pentagon’s top IT office is considering establishing a portfolio management office dedicated to accelerating the adoption of zero-trust cybersecurity architectures, a senior IT official told Congress April14.
The creation of a zero-trust portfolio management office would provide “critical centralization and orchestration” for the department’s move toward the advanced cybersecurity architecture, in which users are are assumed to be unauthorized throughout the network unless proven otherwise, DoD chief information security officer David McKeown. McKeown was testifying before the Senate Armed Services Committee’s cybersecurity subcommittee.
The department has launched several pilot projects testing zero-trust concepts in the last two years and earlier this year the Defense Information Systems Agency and the NSA worked on zero-trust reference architectures.
If the Pentagon’s CIO shop establishes the portfolio management office, it would be responsible for “consolidating” talent from across the department, including network administration and cybersecurity experts, to manage “the complex task of moving the DODIN to this new cybersecurity construct,” McKeown wrote in his testimony.
The office would also be responsible for a campaign about the benefits of zero trust and would share best practices within the department, mission partners, the defense industrial base and allies, he said in written testimony. The office would also be develop a “strategic roadmap” for the department’s move toward zero trust. Russ Goemaere, a spokesperson for the DoD, said the office would “aim” to set up the portfolio office in the next six months.
McKeown also highlighted the Air Force’s Cloud One, its enterprise cloud, as a cloud-native zero trust environment and added that several DoD systems have migrated to that cloud environment. According to the McKeown, Cloud One implements all of the components of zero trust the DoD considers “pillars”: users; applications and workloads; devices; data; networks and infrastructure; visibility and analytics; and automation and orchestration.
Moving to a zero-trust model in the department’s cloud computing environments is critical given that cloud computing is central to the Pentagon’s digital modernization strategy and the Defense Information Systems Agency future plans as the department’s primary IT provider. DISA, in partnership with the DoD CIO, NSA and Cyber Command, is creating a zero trust lab to test zero-trust capabilities.
As part of the department’s push toward zero-trust, DISA is also working on a cloud-based internet isolation tool that allows users to remote browse the internet securely.
McKeown said the department is also taking another step toward zero-trust cybersecurity through a new enterprise-wide identity, credential and access management tool from DISA. He said that the department is already onboarding many of the department financial systems onto that tool.
“We believe that that will be the exemplar that we adopt across the board across the department,” McKeown said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.