The Department of Defense (DoD) released an updated version of its Cybersecurity Reference Architecture (CSRA) – the fifth iteration of this document – laying out new objectives closely aligned to the broader DoD zero trust strategy.
The CSRA – formally entitled the Single Security Architecture – serves as a reference framework intended to be used by DoD to guide the modernization of cybersecurity.
The release of CSRA Version 5 is another push in the Pentagon’s evolution to modernize cybersecurity through the adoption of a zero trust architecture – which is DoD’s “approach to meet the intent described in E.O. 14028, Improving the Nation’s Cybersecurity.”
The updates CSRA provides the architecture framework for modernizing cybersecurity for DoD and supports completion of the “target level” in DoD’s zero trust strategy, which the department released in Nov 2022.
DoD’s zero trust strategy outlines an information enterprise secured by a fully implemented department-wide zero trust cybersecurity “target level” framework that will reduce the attack surface, enable risk management, make data-sharing effective in partnership environments, and quickly contain and remediate adversary activities.
Specifically, the updated guidance includes an updated list of three principles reflective of the Pentagon’s zero trust strategy.
Principle one speaks of the need to reduce risk from the inside out. It states that risk reduction must focus on the protection of DoD data, assets, applications, and services, and a secure path to access them.
The second principle focuses on increasing mission assurance through resilience. According to the Pentagon, resilience is a key concept that helps quantify the ability of a system to maintain effectiveness and recover, especially during an active cyber event.
Finally, principle three deals with enabling modernization; to achieve and maintain cybersecurity superiority, decisive and deliberate steps must be taken. This includes establishing and enforcing data tagging; accelerating movement to secure cloud services; and integrating identity, credential, and access management standards.
CSRA Version 5 also incorporates three technical outcomes intended to drive the adoption of a zero trust architecture: authenticated and authorized access to all resources; access control enforcement based on multiple sources of authoritative data; and automated security responses that enable dynamic changes to security controls.
The DoD said it plans to add more outcomes and principles in the future as it moves forward with its adoption of zero trust.
In addition, the CSRA will align with the DoD’s Cyber Survivability Attributes (CSAs) to support the measurement and testing of the adoption of zero trust solutions. According to the DoD, aligning the CSRA with the CSAs is intended to “simplify the analysis of source selection criteria and prevent the acquisition of capabilities that do not support zero trust outcomes.”