The Department of Defense (DoD) plans to compile a list of successful zero trust implementations this year to deepen its understanding and facilitate the wider adoption of zero trust architecture across its operations, according to a senior Pentagon official.
Randy Resnick, senior advisor of the DoD’s Zero Trust Portfolio Management Office (PfMO), said the list will help centralize zero trust implementations across the DoD and develop test programs, speaking at AFCEA DC’s cyber luncheon on Feb. 27.
According to Resnick, the pilot programs will be done “in a centralized fashion” and the “services don’t have to worry about funding a pilot or running a pilot on their own.”
Resnick said his goal with putting this list together is to increase the DoD’s procurement and installation of zero trust technologies “this calendar year.” He said DoD’s centralized zero trust process will increase cooperation with vendors and advance zero trust technology.
“If we are evaluating a solution that shows success in DoD, there’re nothing stopping anybody from procuring these licenses and implementing [zero trust] if they want to follow the DoD approach,” Resnick said.
Resnick said the team needs to implement more processes like this to “stay on target” for fully implementing zero trust IT in fiscal year (FY) 2027.
In November 2022, the DoD released its zero trust strategy and roadmap, detailing plans to fully implement a zero trust cybersecurity framework across the department by FY2027. For nearly two years, the DoD has been working toward achieving unified security across its various domains, with a goal of meeting “target” level objectives for zero trust by FY2027.
Ultimately, Resnick said the biggest challenge in implementing zero trust across the DoD is in coordinating across the various agencies to come up with strategies that effectively serve them well.
“We’re trying to synchronize the [department] in its application of zero trust everywhere. We’re talking about three million people that have to be secured by zero trust,” Resnick said.
Additionally, Resnick reiterated his commitment to providing zero trust guidance for operational technology (OT) by the end of the summer or beginning of the fall in 2025.
This upcoming guidance, he explained, will allow the DoD to update its strategy for zero trust to include OT and think about integrating it into defense critical infrastructure and weapons systems. Resnick did not say how long it would take for zero trust to be implemented into OT but pointed to the five-year timeline provided for IT as an example of a timeline.
“You can see the aggressiveness coming from the department when it comes to zero trust,” Resnick said, adding that he hopes that more zero trust guidance and operational standards in the DoD will allow vendors to engage in the process more openly.
While he wants to engage innovation in zero trust for OT, Resnick said his team is working carefully with the guidelines they create to successfully manage implementation.
“We have to be very careful with what the outcomes need to be in order to command and control what we want to get done in OT,” Resnick said.
