WASHINGTON — The U.S. Department of Defense’s zero-trust strategy will be published in the coming days, giving the public a fresh look at its plan to achieve a new level of cybersecurity.
Pentagon Chief Information Officer John Sherman said Monday that he approved the plan “last Thursday” and it’s now “going through the public review process.” The documents, he said, should be out “very soon.”
The strategy will lay out the Pentagon’s approach to realizing zero trust, which comprises more than 100 activities and so-called pillars, including applications, automation and analytics, to keep critical data secure.
Zero trust is a new paradigm for cybersecurity, one that assumes networks are always at risk. As a result, continuous validation of users and devices is needed. The practice is often likened to “never trust, always verify” — or, as Sherman put it: “You truly trust no one or no thing.”
The pivot to active defense and inherent distrust comes after decades of investment in the Middle East, where U.S. troops confronted lesser-equipped forces and networks and communications were less at risk. Now, the U.S. faces China and Russia, cyber-savvy world powers with histories of digital aggressiveness.
“It doesn’t represent a defeat, it doesn’t mean that we’re not strong cyber defenders. But it recognizes that we live in a very sophisticated threat environment,” Sherman said at a Defense Information Systems Agency event in Maryland. “We’ve got to defend differently. We can’t just defend at the perimeter. That’s part of it, but not all of it.”
Defense officials previously imposed a five-year deadline to implement zero trust. Sherman on Monday described the target as a “heavy lift.”
“We’re talking about getting this done by 2027 for a 4-million-person enterprise. We’ve learned from a number of the big companies, whose names you know, who have been down this path, services that have done parts of this,” he said. “We recognize this cannot be an optional way to approach it.”
DISA in late July extended a zero-trust deal, known as Thunderdome, with Booz Allen Hamilton, citing lessons learned from the Russia-Ukraine war and the need to further insulate the Secure Internet Protocol Router Network, or SIPRNet, a means of relaying secrets.
DISA, the Pentagon’s lead IT agency, in January awarded Booz Allen the $6.8 million contract to develop a Thunderdome prototype. The subsequent six-month extension lengthens the pilot to a full year, with completion now expected at the start of 2023.
Sherman on Monday said the forthcoming zero-trust strategy “is informed greatly by what is going on with Thunderdome, with the DISA team here.”
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.