Recap: Inside the DoD Zero Trust Strategy

Billington CyberSecurity Virtual Roundtable | Inside the DOD Zero Trust Strategy | January 19th at 12:30pm ET Virtual Fireside with Randy Resnick, Director, Zero Trust Portfolio Management Office, Office of the CIO, U.S. Department of Defense | Moderator: Steve Faehl, Security CTO, Microsoft Federal

A Webinar Featuring Randy Resnick, Director, Zero Trust Portfolio Management Office, Office of the CIO, U.S. Department of Defense

Billington CyberSecurity on 19 January hosted a webinar and conversation between Randy Resnick, DOD’s Zero-Trust Portfolio Management Office Director, and Steve Faehl, Chief Technology Officer for Security for Microsoft Federal. The conversation focused on DOD’s recent release of its first Zero Trust Strategy and Implementation Plan.

Mr. Resnick started the conversation by highlighting that the strategy was the culmination of 4 years of hard work by a focused and committed DOD-wide group of experts with the primary goals of moving the Department’s cybersecurity program beyond perimeter defense and on stopping adversaries from exploiting DOD data. The group’s motto from the beginning was “Target and Advance,” which Resnick explained as a focus on “pushing for, initiating, and achieving a number of incremental activities within DOD at all levels of the organization to get to a zero-trust baseline in five years” then continuing to move forward in the years that follow. He emphasized that the release of the strategy also was DOD’s way of recognizing that the adversary was within their networks and that a change was needed to address it.

How to Achieve Zero-Trust?

Mr. Resnick highlighted that from the start, his program office wanted to provide those responsible within the Army, Air Force, and Navy with a way to enact zero-trust using an outcomes-focused approach providing them flexibility in terms of how they achieve the plan’s goals. In terms of an outcomes-based approach, he highlighted that the plan includes 91 activities which service elements need to meet before being base-lined as zero-trust certified, as well as an additional 52 activities to meet to attain advanced zero-trust certification (see page 23 of the strategy for more detail). The plan outlines an iterative approach to achieving each of these activities to provide measurable results over time.

The strategy offers three different potential courses of action for the DOD mission elements to consider completing these zero-trust actions and does not point to specific solutions or solution providers in the plan. Resnick stressed the need for flexibility was due to the fact that each military component faced different situations and environments and were at different stages of the zero-trust journey already. The strategy’s three courses of actions were:

  • Modernize your existing networks through technical and policy augmentation. In this effort, DOD elements would augment existing networks and current solutions with security software, process and procedures which would allow them to meet the 91 criteria.
  • Leveraging the four public cloud providers that recently were awarded opportunities in the Joint Warfighting Cloud Capability (JWCC) December 2022 contract decision. Resnick emphasized that each of the four cloud providers believed they could already meet the 91 criteria, but that the DOD would be spending 2023 testing and confirming that was the case.
  • Leveraging private clouds designed and built and defended exclusively by the government. Resnick pointed out that, in at least several cases already, there were private clouds within DOD that had already been built and tested to meet the 91 criteria and, in at least one case where NSA had built a cloud that already met the advanced criteria. DOD would also spend 2023 red teaming and confirming that that was the case as well.

Resnick was quick to point out that anyone or a combination of these three actions could ultimately serve to move DOD towards realizing zero-trust as long as the 91 criteria were met. He also highlighted how the three options provide more avenues for potential success, that his focus was on getting the organization to move forward given these multiple avenues, and that integrating any combination would likely be the hardest part of the journey.

Recognition that Cyber Culture Must Change

Another emphasis within DOD’s Zero-Trust strategy was a focus on changing the U.S. military’s cybersecurity culture. Resnick cited the absolute need for people to understand the role they play in helping to protect their organization. He emphasized that paying attention to potential cyber threats as well as respecting and understanding the accompanying new policies, rules, and training regimen within a zero-trust environment was an absolute requirement to ensure its success. In addition, he argued that zero trust comes with new vocabulary and new training to understand this vocabulary and its role in making it all work.

In terms of understanding how the strategy would be implemented, Resnick lauded the current unity of effort that the entire DOD brought to getting a zero-trust environment up and running. Currently his team holds weekly huddles with his key stakeholders such as DISA, JFHQ-DODIN, Cyber Command, DOD’s CDO office, NSA, and senior Pentagon acquisition leadership. Additionally, the DOD Zero-Trust team holds quarterly technical exchange meetings that share test results and key lessons learned to all invested parties. Right now, the team’s focus is on testing and red teaming the various courses of action to determine their viability. He was confident that enough checks and balances were placed in the plan to ensure that if elements fell behind, others would jump in to help them get back up to speed fairly quickly. He was confident that everybody, at the moment, was working off the same sheet of music, was actively engaged, and excited to move this forward.

Engaging with the Private Sector

In terms of where the private sector could help, Mr. Resnick highlighted three areas where he believed their role was critical. First, he believed that the private sector could help with addressing the huge scale of the project as well as meeting the aggressive timeframe of when his program office would like to see this done. Randy pointed out that the DOD has over 3 million endpoints in its overall network configuration and would really value the private sector’s ideas to address this entire ecosystem in transitioning. Second, he highlighted the need for seamless interoperability and the role that industry plays in making that happen. He followed up by pointing out that the private sector could provide faster innovation for future products and services as the entire DOD moved to meet those advanced requirements. Third, he pointed out that DOD will need help documenting and explaining all the work done.

Lastly, Resnick emphasized that there is a lot more work that needs to be done by his office to make sure that the implementation—both planned and the future—is recognized. His team currently is hard at work putting together:

  1. A reference guide on how to build a zero-trust network,
  2. A plan outlining how DOD’s plans fits and changes the NIST’s 5300 Zero-Trust Framework,
  3. A plan to measure performance,
  4. A tactical and technical Zero-Trust reference architecture, and
  5. A version 1.5 of the Zero-Trust implementation plan that addresses low bandwidth environments.

Resnick highlighted while things are really in sync now, things he is watching out for that could slow the entire process down in the future included:

  • Ensuring momentum at all levels of the organization continues,
  • Continuing to garner support from Pentagon leadership,
  • Making sure that funding exists, and
  • Preparing to come up with contingencies if one of the three current paths proves not to be viable.

To view the entire webinar, please click here.