The Defense Department has set a five-year goal to deploy zero-trust to the majority of its enterprise -- 4 million users. DOD's first few steps are the most crucial.
On Oct, 1, the Defense Department reached its deadline to release and start implementing a zero trust strategy, aiming to have zero trust deployed across a majority of its enterprise systems by 2027.
In government, five years is not a lot of time, and the first steps will be critical.
Deploying best practices like partnering with industry, learning from other government zero trust use cases and understanding strengths and challenges of implementing zero trust architectures will be foundational to setting up the department and its components for success.
Understanding the challenge
To put into context the complexity of implementing a zero trust strategy for an enterprise consisting of more than 4 million people, the DOD’s definition of zero trust includes 45 separate capabilities organized around seven pillars that include users, devices, networks and environments, applications and workloads, data, visibility and analytics and automation and orchestration.
To make progress on each pillar, the DOD is mapping 90 separate activities that need to be accomplished before the 2027 deadline.
Outside of the technical aspects, the Pentagon faces challenges that private sector organizations do not. To start, most organizations don’t have to deal with the life threating consequences of their work the way the military does. Nor do many of them have to securely analyze, package and transfer some of the most sensitive data in the world.
Beyond that, there will likely be policies that need to evolve, training that needs to be done and acquisition regulations that need to be followed. That’s all without mentioning the radical shift in mindset that DoD will have to adopt as a whole.
Build on Previous Successes
A logical way to simplify a task this big is to look to organizations that have been successful and map those use cases to the broader DOD plan––an approach that the Pentagon already seems to be embracing.
At an event in late August, DOD CIO John Sherman said that they are not trying to reinvent the wheel, but rather build on what’s already been piloted successfully across the services.
For example, DOD cyber officials could look to the inroads the Navy has made in utilizing identity, credential and access management technologies to underpin their own zero trust strategy.
Louis Koplin, the service’s Deputy Chief Technology Officer, said at an October Navy IT transformation panel that the Navy is starting to deploy an ICAM solution at scale within its Flank Speed collaboration platform, which already has significant zero trust capabilities built in.
Other components can look to this use case when implementing like elements of their own zero trust strategy. Zero Trust doesn’t mean a wholesale lift and shift, but rather understanding what investments will continue to add value as they set a path forward to support their own unique missions.
Partnering with Industry
Deploying an enterprise-wide zero trust strategy is not a challenge to be taken on alone. The DOD can and should be looking to its private sector partners—those on the leading edge of cyber technology and threat analysis.
For years, the private sector has led in innovation, successfully transforming cutting edge technologies into tools and knowledge for the new digital battlefield, providing capabilities that the DOD otherwise would not have had.
That can be done with zero trust as well. We all have a part to play in harnessing our unique skillsets to address the DOD’s challenges as the threat landscape continues to evolve.
The Pentagon is at the outset of a challenging five-year journey in building a reliable, resilient and interoperable zero trust strategy. These first steps will be crucial to setting a foundation that the DOD of the future can build on.