Department of Defense (DoD) Chief Information Officer (CIO) John Sherman said today that defense and military agencies must submit zero trust plans to his office in the coming weeks to be evaluated and to determine how they measure up to the DoD’s Zero Trust Strategy.
“We are determined to get zero trust across the department by 2027. It is a key priority for us, and we are firmly on that vector,” CIO John Sherman said at the Billington Cybersecurity Summit. “Next, we will begin reviewing their plans to determine if their respective plans are consistent with what we have laid out in the Zero Trust Strategy.”
As part of the strategy, individual zero trust execution plans from DoD organizations are due to the DoD CIO’s office by Sept. 23, 2023. Evaluations of the individual execution plans will take place between October and the holiday period, Sherman said.
In late 2022, the DoD released its zero trust strategy and roadmap outlining how the agency plans to fully implement a department-wide zero trust cybersecurity framework by fiscal year (FY) 2027.
The strategy and roadmap envision an information enterprise secured by a fully implemented department-wide zero trust cybersecurity “target level” framework that will reduce the attack surface, enable risk management, make data-sharing effective in partnership environments, and quickly contain and remediate adversary activities. The DoD’s zero trust plan lays out 91 “target level” goals to be achieved by FY 2027.
“About a year ago, we released the strategy and some of the implementation pieces. But as I’ve talked about before the components and military forces must pick their adventure in reaching these target goals,” Sherman said.
He explained that the strategy is intended to be a foundation of the zero trust framework, but each organization within the department must decide what road to take to meet the “target level” goals laid out in the broader strategy.
Some defense agencies have already made significant efforts to meet the “target level” goals laid out in the zero trust strategy. The Defense Information Systems Agency (DISA) is one of the defense agencies “well on its way to meet the goals in the DoD’s zero trust plan,” said Lt. Gen. Robert Skinner, DISA’s director, during separate remarks at today’s Billington event.
Skinner explained DISA efforts such as Thunderdome and the foundational identity management initiative – which the agency already had underway before the release of the strategy – help DISA meet many of the “target level” goals in the zero trust strategy.
The military forces are also moving aggressively on implementing zero trust principles and developing execution plans on meeting the department’s FY 2027 zero trust goal.
However, while the department sees 2027 as its goal date, Sherman explains that this does not mean the zero trust journey ends. The cyber threat landscape is ever-evolving, and adversaries will continue to evolve. The department needs to continue implementing zero trust capabilities.
“Zero trust is an ongoing journey and has no endpoint,” Sherman said. “It’s not a single product we buy or a single thing that we can implement. It definitely requires partnership with industry, defense agencies, and other organizations across other segments of government.”