The Department of Defense’s (DoD) new zero trust strategy outlines 90 capabilities that will help the department bring to bear its “targeted” zero trust framework across the entire department, said DoD Chief Information Officer (CIO) John Sherman.
“Zero trust is a paradigm shift we talk a lot about, but we do this because it’s an important paradigm shift,” Sherman said during the Billington Cybersecurity Summit on Sept. 8.
Sherman, via Pentagon spokesperson, confirmed to MeriTalk last week that the DoD was developing this new zero trust strategy and plans to implement it across the entire department by 2027. Currently, the strategy is slated for release in the upcoming months.
“And to have this zero trust approach implemented across the entire department by 2027 is darn quick for an enterprise of our size. But we’re committed to getting after this because the adversary capability we’re facing leaves us no choice but to move at that level of pace,” he added.
The strategy, Sherman explained, has 90 capabilities to get to the “targeted” zero trust approach that the Pentagon is after. It also includes an additional 62 capabilities to help the DoD reach a more advanced zero trust for national security systems or systems that are “very, very important.”
In addition, Sherman explained that the DoD plans to create an implementation plan for military services and DoD agencies. It also includes three methods to bring to bear the Pentagon’s targeted zero trust goal, including “uplifting the current environment of each military service and agency to meet the 90 capabilities and achieve the highest level of zero trust.”
DoD Prepares to Implement New Zero Trust Strategy, Data Challenge Expected
On day one of the Billington Cybersecurity Summit, on Sept. 7, David McKeown, the chief information security officer and deputy CIO for the DoD, also shared the upcoming zero trust plans.
“We have a definition of what it takes to check the box and fulfill that capability. Those 90 capabilities are going to get us to what we’re calling targeted zero trust,” McKeown said.
“We as a department also understand that within our organization, we have different sectors that operate differently. So, while we have a set of ambitious and strict deadlines, we have allowed for some flexibility so that each agency within our department can implement zero trust in a way that would work for them because, as we know, there is no one-size-fits-all approach to this,” McKeown said
In addition, McKeown explained that in this transition, the department needs insight from its partners in the private sector because “there is no one person or agency that will make zero trust work,” therefore, partnerships are critical.
But however optimistic or ambitious DoD officials may be about this strategy, it comes with a significant data challenge. Due to the large quantity and quality of data managed by the DoD, it will need to pay close attention to the access and longevity of access granted to individuals.
“We are going to have to pay close attention and be very meticulous about how we classify and organize the data that we have because it will not be easy,” McKeown said.