This plan, which the department released on Tuesday, is “a framework for moving beyond relying on perimeter based cybersecurity defense tools alone,” and officials have a target implementation date of fiscal 2027, David McKeown, the DOD’s acting principal deputy CIO, told reporters during a briefing that day.
“Zero trust” security, as described in the policy, “eliminates the traditional idea of perimeters, trusted networks, devices, personas, or processes and shifts to multi-attribute-based levels of confidence that enable authentication and authorization policies founded on the concept of least privileged access. Implementing the Zero Trust Framework requires designing a more efficient architecture that enhances security, the user experience, and overall mission performance.”
The four pieces of implementation in the strategy are zero trust cultural adoption, DOD information systems being incorporated into the zero trust systems, the deploying of zero trust-based technologies, and finally, the execution integrates with department-level and component-level seamless processing.
The 29-page strategy also acknowledges that the department is “under wide scale and persistent attacks from known and unknown malicious actors,” and it provides a stark warning: “The Department must act now.”
“With zero trust, we are assuming that a network is already compromised, and through recurring user authentication and authentic authorization, we will thwart and frustrate an adversary from moving through a network and also quickly identify them and mitigate damage and the vulnerability they may have exploited,” Randy Resnick, zero trust portfolio management office chief, added during the same briefing.
DOD Chief Information Officer John Sherman reiterated the expansive scope of such a strategy, calling it “more than an IT solution,” in the foreword of the strategy. “Zero Trust may include certain products but is not a capability or device that may be bought. The journey to Zero Trust requires all DoD Components to adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans.”
The document described China as the “most consequential strategic competitor and the pacing challenge for the Department” and said that they, “as well as other state-sponsored adversaries and individual malicious actors[,] often breach the Department’s defensive perimeter and roam freely within our information systems.”
“We believe that everything that we’ve talked about here today, everything part of the zero trust strategy and implementation plan, gets after the problem of advanced persistent threats, of which China is one of a handful that we’re tracking worldwide and we are constantly doing battle with in the cyberworld. So, we feel like this is a great solution to early detection and eradicating them off of our network if they do get a foothold,” McKeown added.