After a year of planning, military service branches and defense agencies have submitted their zero trust security implementation plans to the Department of Defense (DoD) zero trust team for evaluation, according to the department’s zero trust lead.
Randy Resnick, director of the Zero Trust Portfolio Management Office, said plans were due on October 23. His office received as many as 43 zero trust implementation plans from the military services and defense agencies. Resnick’s office has until December 31 to review the plans they received.
“Those 43 implementation plans [under review] are going to explain how to achieve target-level zero trust,” Resnick said during a GovExec webinar on October 23. “We delivered to the components the ‘target-level’ zero trust outcomes we want to see in their plans; now they got to deliver the how.”
In late 2022, the DoD released its zero trust strategy and roadmap outlining how the department plans to fully implement a department-wide zero trust cybersecurity framework by fiscal year (FY) 2027.
The strategy and roadmap envision an information enterprise secured by a fully implemented department-wide zero trust cybersecurity “target level” framework that will reduce the attack surface, enable risk management, make data-sharing effective in partnership environments, and quickly contain and remediate adversary activities. The DoD’s zero trust plan lays out 91 “target level” goals to be achieved by FY 2027.
Congress mandated in the National Defense Authorization Act for 2023 that one year after the publication of the department’s zero-trust strategy, all defense components must deliver implementation plans illustrating how they will reach each “target-level” outcome.
Defense officials are also required to brief Congress on the plans at the end of January 2024.
“We have to brief Congress on the DoD’s plans for zero trust. How it’s going, describe to them exactly how we’re going to do it, and explain whether we’re going to get there by 2027 or earlier,” Resnick explained.
Before the evaluation period, Resnick said his team held monthly conversations with the military services and defense agencies – which began in early February 2023 – where they jointly developed a “table of contents, so that every implementation plan has similar looks and feels,” while remaining unique to each component.
“We describe to everybody what we expect or want to see in these plans,” Resnick explained. “There are going to be 43 different solutions [for] zero trust, which is very exciting and creates a lot of opportunity for industry. But in the end, we’re looking for the same outcome, ‘target-level’ zero trust, which we believe would stop the adversaries’ ability to exploit DoD data.”
After the evaluation process, the next step for the Zero Trust Portfolio Management Office will be to start tracking progress of these components.
“We have to, in detail, monitor the schedule of all 43 components on their progress to zero trust,” Resnick said. “All of them are going to march on a different schedule, with different solution sets.”