As cyber attackers continue to evolve and nation states use cutting edge methods that anticipate even the most fortified defenses, the U.S. Department of Defense continues to make progress shifting from a patch and remediation mindset to one that focuses on truly transforming cyber practices for the future.
Along with this change in thinking comes changes to the processes that govern how the DoD defends its network and that includes implementing Zero Trust Architecture. A year after issuing its initial guidance, the Pentagon is ahead of the curve in its Zero Trust journey, but individually every component is at a different mile marker, facing their own unique challenges.
DoD CIO John Sherman announced in early September that the Pentagon would be assessing the Zero Trust plans of every component, an action he identified as a “very important milestone.” The review will make sure plans are consistent with the agency’s broader zero trust vision and the 91 capabilities outlined to achieve targeted zero trust goals by 2027.
While the DoD begins its assessment, these components should be looking ahead to the next phase of their plans and begin implementing their specific strategies. There is a lot of work ahead, but by utilizing best practices — both technical and non-technical — developed and honed by the private sector, the DoD can take meaningful action to strengthen cyber strategies.
Starting wherever you can
DoD entities including the Defense Information Systems Agency have advanced quickly in their Zero Trust journeys, harnessing the power of AI and other innovative technologies to implement advanced threat detection algorithms, multi-layered encryption protocols and real-time monitoring to counteract cyber threats. Not every component has the in-house expertise or technology that DISA does to make those big leaps. But everyone has the capabilities to pick a place to start and make meaningful progress.
For example, for those having trouble moving from the planning to the implementation stage, a great place to start would be getting an accurate inventory of users and devices. Not only will this make it easier to get the right permissions to the right users from the start, but it will also give Network and IT teams a chance to make sure access privileges for former employees have been revoked.
Risk tolerance is another quick entry into Zero Trust implementation that doesn’t involve a big technological lift. That means IT and security teams need to identify the minimum threshold for letting a user have access to certain parts of the network. User access is dynamic, changing by the day depending on the situation. Because of that, the minimum threshold must be monitored and re-evaluated to make sure everyone is getting the access they need to complete the mission and keeping anyone out who shouldn’t have access.
More than just security
It’s also important to remember that implementing Zero Trust isn’t just about making DoD networks more secure, it’s also about fitting into a larger modernization vision that can help the Pentagon realize better performance for the mission. Reinforcing that cultural mindset in both messaging and communications will help everyone, down to the least technical employee or military member, realize why this effort is so important and where they fit into the process.
This leads into another action DoD components can take in their initial stages of implementation. IT teams should begin the process of understanding the role each person employed by the agency, what information they should have access to and when they should have access to it. This will be a huge help as the process moves forward because mapping the flow of information in this way helps IT and security teams build in permissions and requirements early on rather than trying to build them in piecemeal after the fact.
DoD components, from the foxhole to the flagpole, all have a long way to go before hitting the goal of full Zero Trust implementation by 2027, but that shouldn’t invoke anxiety. Much like any other important technology initiative, every step forward counts. No matter where you are in your implementation story, the goal is to keep moving and keep pushing for the foundational cultural and technological changes that need to happen to stand up a true Zero Trust architecture over the next four years.
Mark Wiggins, is Director DoD, IC, and Federal Systems Integrators at Fortinet Federal, a unit of Fortinet Inc. focused on modernized and secure infrastructure for the U.S. Government.