The Department of Defense (DoD) has officially approved zero trust implementation plans from all 41 of its components as it inches closer to its goal of implementing a zero trust architecture across the entire department by 2027.
In late 2022, DoD released its zero trust strategy and roadmap outlining how the agency plans to fully implement a department-wide zero trust security framework by 2027. As part of the strategy, the DoD’s Office of the Chief Information Officer (CIO) asked DoD components to submit their own individual zero trust execution plans.
Randy Resnick, who serves as director of the Zero Trust Portfolio Management Office within the DoD CIO Office, said that his office received 39 implementation plans from the components between October and November.
The reason that number is 39 and not 41, he explained, is because the Air Force’s implementation plan included the Space Command, and the Navy’s plan included the Marine Corps.
“We evaluated all of them. It took 35 people full-time to go through 39 plans, and there was just a lot of material and information that was contained in all of them,” Resnick said on Thursday at the CyberScape Summit hosted by GovCIO Media & Research. “In the end, we had to engage literally one-to-one relationships with all of the components to get their plan to a level that was acceptable.”
“Every plan is now acceptable,” he announced. “We’re dealing with onesies, twosies, but they’re at a place now where I can say publicly that they have the strategy, they have the plan, they have schedules, it’s understandable, it certainly was acceptable by our team, and that’s what we’re going to start to begin tracking.”
The department expects to brief Congress on the implementation plans by the end of this month. However, Resnick stressed that these plans are not “one and done,” because version 2.0 of the implementation plans is due to DoD in October.
Components Setting Up New ZT Offices
To further accelerate zero trust efforts across the department, Resnick said that each component has already or will soon set up a Zero Trust Functional Management Office (FMO).
The Zero Trust Portfolio Management Office’s job is to synchronize the department to accelerate zero trust, but Resnick said his office soon realized that there was no one in the components who was also focused on that.
“So, we quickly learned that they needed a program office or what they’re now calling a Functional Management Office, a Zero Trust FMO, in each one of the components,” Resnick said.
“Of the 41 components, each one of those 41 components has now set up or is about to set up a Zero Trust Functional Management Office – the couple of people that are working full time that are focused only on their component and the acceleration of ZT,” he added. “So, that helps.”
Resnick said that his office is now starting to engage some of the FMOs and “tasking them to look at their policies.” Meanwhile, he explained that his office will be looking at the larger DoD-wide cybersecurity policies.
“Anything that has the word cyber in it, or information system security, or any of the older terms that some folks in this room would be aware of, those are all being touched in the next 12 months – invalidated, eliminated, or rewritten to start including some of the language of zero trust,” he concluded.