A look at the DoD's Zero Trust Strategy

The Department of Defense (DoD) recently published their Zero Trust strategy. This comes on the heels of the Cybersecurity Executive Order (EO) which placed a large emphasis on the need for the Federal government to adopt Zero Trust, as well as subsequent publications such as the overarching Federal Zero Trust Strategy, CISA’s Zero Trust Maturity Model and DoD’s own Zero Trust Reference Architecture.

This article will take a look at the DoD’s Zero Trust Strategy, discuss how it ties back to the aforementioned artifacts and also a look at the path ahead.

Diving In

The DoD’s ZT Strategy opens with a powerful statement from the DoD CIO, John Sherman, on how malicious actors are currently abusing the antiquated state of security in the DoD and the imperative to adopt ZT to mitigate this impact.

This quote is both an acknowledgement of the current and ongoing gaps in the DoD and Defense Industrial Base (DIB)’s IT systems, as well as an issue that was identified in early NSA Red Team exercises of DoD IT Systems and Networks in the 90’s named “Eligible Receiver” which found malicious actors roaming in DoD Networks. (Be sure to read “Dark Territory: A Secret History of Cyber War” for a detailed account of DoD IT systems and more broadly Critical Infrastructure Cybersecurity).

It also emphasizes that ZT is more than an IT solution or product and includes capabilities, technologies, solutions and processes across organizational architectures and systems. It also builds on this statement with the emphasis from the Cyber EO that incremental improvements simply won’t cut it and bold changes are required to defend our vital institutions (which of course includes the DoD, DIB and our warfighters).

The strategy projects that in five years the DoD will have adopted a risk-based ZT framework across the defense ecosystem. This includes having ZT principles integrated across the five cyber functions many of us know from the NIST Cybersecurity Framework (CSF), which are Identify, Protect, Detect, Respond and Recover. This will all culminate in mitigating malicious activity to DoD’s IT systems.

That projected future state however differs significantly from the current state of affairs in the DoD which the document acknowledges involves wide-scale and persistent attacks, from both known and unknown malicious actors, including everything from individual actors to full on nation state adversaries. The antiquated state of DoD’s IT environment, which is largely perimeter-based leads to these activities having far larger impacts than they would under a ZT architected and operated state, which includes the elimination of implicit trust for devices, identities and so on.

The DoD’s ZT Strategy lays out four strategic goals:

• Zero Trust Culture Adoption

• DoD Information Systems Secured and Defended

• Technology Acceleration

• Zero Trust Enablement

The strategy makes clear that the DoD’s establishment of the DoD CIO’s Zero Trust Portfolio Management Office (PfMO) as mentioned in this article is key to success of the strategy.

These four strategic goals are oriented around 7 DoD Zero Trust Pillars, as identified below. (You’ll notice similarities to the previously mentioned CISA Zero Trust Maturity model, with some differences among the pillars).

For a quick understanding of the Zero Trust Strategy, the document provides a diagram titled “DoD Zero Trust Strategy-at-a-Glance” which covers the Vision, Goals and Objectives which comprise what the DoD will achieve and how it plans to realize the value of those achievements.

Now that we have an overview of some of the fundamental high-level aspects of the DoD ZT Strategy, let’s dive into some of the specifics.

The DoD ZT strategy defines ZT as

This concept of course echoes the principles evangelized by Zero Trust creator, John Kindervag, in his 2010 paper “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security”.

The strategy emphasizes how much of a culture shift it is for not just the DoD but also the Defense Industrial Base (DIB) to make the shift to no implicit trust to assets or users irregardless of location, device, or network, stating that the shift will begin in 2023 and continue through 2027 and beyond. That said, it is worth noting that several entities in DoD have already begun adopting ZT methodologies in their architectures and environments, with a notable example including DoD’s Cloud Native Access Point (CNAP), where has its own reference architecture here and has been implemented by programs such as Platform One.

Strategic Context

One refreshing aspect of the DoD ZT Strategy is the alignment with the overarching DoD National Defense Strategy and the emphasis on empowering the warfighter with the right access at the right time. The DoD, at the end of the day is a war-fighting organization who’s mission involves national security of the U.S. and its allies and interests. In the conversation around DoD and technology, this reality is often lost in the conversation, so it was good to see it explicitly listed in an example.

One other promising aspect of the DoD’s ZT Strategy is the unification of it to broader overarching artifacts such as the National Security and Defense Strategies, broader DoD Cyber Strategy and peer artifacts such as DoD’s Cyber Risk, Data and ICAM strategies, as listed in the diagram below. Failing to utilize a unified approach at the strategic level would inevitably lead to a disjointed and incoherent implementation at the tactical level.

DoD’s Zero Trust Strategic Vision

The vision makes clear that this is a DoD-wide effort but also will take several years to achieve the ZT goals and objectives, including a five-year planning horizon leading up to FY27 and beyond. That said, the strategy makes clear the DoD is exploring innovative options such as commercial and Government-owned cloud-based services to accelerate DoD’s ZT implementation. This is another example where the DoD and Government more broadly sees Cloud as critical to not just business and mission goals but security goals and requirements as well.

The vision also acknowledges the presence of both “Target Level” and “Advanced” ZT levels of adoption and the plan to achieve them in that maturity-based manner, with oversight and involvement from the previously mentioned ZT Program Office.

Strategic Outcomes

The DoD’s ZT strategy goes on to list several significant benefit examples that the DoD, its components, partners and most notably the Warfighter would receive due to the DoD’s ZT implementation. Examples include secure geographically unrestrained access to data as mission needs require, a mobile cloud-enabled workforce, reduced attack surface, and effective damage containment, among other examples.

As with other examples from the strategy, the document makes explicit use of an example, in this case DIB users and organizations being able to support warfighters whenever and wherever needed, all while doing it securely under the auspices of ZT security measures for personas, devices and data.

DoD’s Zero Trust Approach

The DoD ZT Strategy acknowledges some key assumptions that will help drive executive of the strategy. These include:

• Complex Security Threats Persist - Meaning while accelerated ZT adoption is necessary due to the current threat landscape, new threats will continue to evolve and the DoD must evolve concurrently to address these new threats.

• Culture, not just Technology - Perhaps the most critical line in the strategy in my opinion. Major digital transformation efforts generally suffer from the perception that they are or can be solved by technology, despite the reality that culture is the force multiplier and primary determinant of successful transformation. The strategy explicitly acknowledges this reality.

• Modernization Requires Rethinking - The strategy points out that old ways of thinking on how to use infrastructure and security won’t suffice, new thinking, including a focus on efficiency is key to enabling the warfighter with performant, interoperable capabilities.

• Increasing Global and Industry Partner Collaboration - This assumption emphasizes the increasing need for dynamic and capable access across a wide range of Government and industry partners all in support of DoD’s activities.

• Concurrent Enterprise Mission Owner Implementation - This assumption makes clear that a unified Enterprise approach is required across both Enterprise-level and Mission Owner-level interests to avoid a bespoke disjointed ZT ecosystem across the DoD.

• Real-Time, Risk-based Response - The age old “compliant doesn’t mean secure” strikes again with this assumption, as the strategy points out the need to shift from a compliance-based approach to one of risk-based security due to the nature and complexity of the modern threat landscape. This shift is required for fundamental DoD efforts, such as JADC2, which aims to connect sensors from all service branches to a single network and ecosystem. It’s worth noting the shift from compliance to Risk-based security is similar to sentiments from Navy’s CIO Aaron Weiss, who is leading a charge for the Navy to move to a concept of Cyber Readiness.

• Legacy IT Remains a Challenge - This assumption acknowledges the large legacy IT footprint across the DoD and the need to implement mitigating controls while elimination or modernization of legacy tech can occur.

• Leadership and Operator Buy-In - In order for the DoD ZT strategy to be successful, buy-in must occur across all levels of leadership and functional responsibility.

Strategic Principles

The DoD’s ZT Strategy utilizes a set of guiding principles to function as guardrails when leadership is making decisions on how to implement the ZT strategy. These include:

• Mission Oriented - The need for all users and non-person entities (NPE)’s with a valid mission need to access and work from anywhere

• Organizational - Presuming breach, limiting blast radius and accounting for existing and future organizational structures.

• Governance - Simplify and Automate and Never Trust, Always Verify Explicitly. This includes modernized governance models and technical capabilities to change how users, devices and applications are authenticated and authorized.

• Technical - Least Privilege, Scrutinize and Analyze Behavior, Architectural Alignment and Reduced Complexity. These guardrails lead to least-permissive access control, continuous monitoring of behavior in the operating environment and architectural changes to enable this shift.

DoD Zero Trust Pillars

As previously mentioned, the DoD ZT strategy is oriented around seven pillars. They include:

• User - Continually authenticate, access, and monitor user activity patterns to govern users’ access and privileges while protecting and securing all interactions.

• Devices - Understanding the health and status of devices informs risk decisions. Real time inspection assessment and patching informs every access request.

• Applications & Workloads - Secure everything from Applications to hypervisors, to include the protection of containers and virtual machines

• Data - Data transparency and visibility enabled and secured by enterprise infrastructure, applications, standards, robust end-to-end encryption, and data tagging.

• Network & Environment - Segment, isolate and control (physically and logically) the network environment with granular policy and access controls.

• Automation & Orchestration - Automated security response based on defined processes and security policies enabled by AI e.g. blocking actions or forcing remediation based on intelligent decisions.

• Visibility & Analytics - Analyze events, activities and behaviors to derive context and apply AI/ML to achieve a highly personalized model that improves detection and reaction time in making realtime access decisions.

Strategic Goals & Objectives

The DoD ZT Strategy revolves around four high-level goals and accompanying objectives, identified in the table below:

Looking at the goals it is clear they involve people, process and technology, and in that order, unlike the traditional norm in our industry, as previously mentioned, which puts technology ahead of cultural change.

The strategy takes it a step further and provides specific verbiage for what is required to achieve each goal, whether it is a culture of ZT awareness among the workforce, applying ZT principles to new and legacy IT systems, accelerating tech adoption and allowing for enablement by cultivating appropriate policies, processes and accompanying funding across the Department.

The Objectives for each Goal can be found below:

Execution

Most of us know this quote or something similar, and where the DoD’s ZT pursuits will succeed or fall flat is on the execution front. The DoD and Government more broadly has no shortage of bold strategy documents and associated visions. It is Execution where the rubber fails to hit the road and outcomes don’t get delivered.

While the DoD ZT Strategy doesn’t explicitly acknowledge this, it does have an entire section dedicated to execution, which involves the DoD Cyber Council and DoD ZT PfMO working with the Services/Components to plan for and address any gaps based on the proposed strategy. This includes defining, developing, and adapting execution plans to achieve the DoD ZT Strategy goals and objectives. Adapting particularly stands out, as it is an acknowledgment that execution will need to be refined as time goes on, and the DoD and its associated Service/Components ZT implementation matures.

The strategy also states that Components and System Owners will need to annually submit waivers to the ZT PfMO and DoD CIO, particularly for legacy infrastructure and systems which may struggle currently, and potentially always, to align with the ZT guidance. The guidance even goes so far as to state that the DoD may explore potential refinements to how DoD implements the Risk Management Framework (RMF) to achieve the ZT objectives and goals. This aligns with the previous comments about moving away from a compliance-based culture of cybersecurity and also reflects guidance from groups such as National Security Telecommunications Advisory Committees (NSTAC)’s report to the President.

The DoD ZT Strategy plainly states that:

These capabilities of course are structured across the previously mentioned 7 pillars of ZT as identified in the strategy and build atop key enables such as Doctrine, Training, Leadership and Policy among others as shown.

That said, the guidance states that while all DoD Components much achieve the previously mentioned “Target Level” for ZT, only a limited number of systems will be required to achieve the “Advanced ZT” state. The strategy states that this compliance and maturity will again be monitored by the DoD ZT PfMO, which of course is a large task across the entire DoD ecosystem and creates the potential risk that ZT goals and objectives ironically become checkboxes themselves that Components and System/Mission Owners strive to meet to comply with the oversight and inquiries from the ZT PfMO.

DoD Zero Trust Capability Roadmap

The DoD ZT Strategy goes on to lay out a High-Level Capability Roadmap that it states will guide the DoD’s baseline course of action (COA) in achieving the ZT strategy. The roadmap also covers dependencies and interdependencies that may influence the sequence or parallel development of capabilities laid out in the strategy. The goal is for the DoD to achieve Target Level ZT by FY27, which will involve the various components determining the technologies and solutions needed to achieve the desired outcomes and then creating and implementing action plans accordingly.

Above is a diagram showing the desired Target and Advanced Level ZT goals broken out over fiscal year (FY). While it uses a shaded/color coded scheme to depict maturity, it isn’t clear how the current state assessment was done or what the colors mean across the spectrum, particularly as it is certain that ZT maturity looks drastically different across the vast and diverse DoD ecosystem.

Resourcing & Acquisition

Continuing on, the DoD ZT Strategy discusses the need for proper resourcing and acquisition to achieve the ZT goals and objectives. This will again be overseen by the ZT PfMO that will help orchestrate and prioritize ZT resources and acquisition decisions for the entire Department, in collaboration with stakeholders as appropriate.

To address resourcing the Department will make use of resources such as the DoD CIO’s Capability Programming Guide (CPG) and existing Planning, Programming , Budgeting and Execution Overhaul (PPBE) (which is the source of frequent criticism, frustration and calls for overhauls - often being called rigid, inflexible and antiquated).

The guidance states that the DoD CIO office will work with the various components to address resource shortfalls through the FY Program Objective Memorandum (POM) cycle (which helps allocate future FY funding/resourcing).

In addition to resourcing, the DoD CIO will work with components to coordinate the identification and procurement of applications, assets and services that the DoD and its various agents need at the Enterprise-level, with Component acquisition being handled at that respective level for their unique mission needs.

The DoD ZT Strategy is clear that it does not mandate or prescribe specific technologies or potential solutions. It instead is focused on ZT capabilities that must be met for the Target and Advanced Level ZT goals previously discussed. Any specific tools, technologies, services and solutions that the various Components and Mission Owners decide on will need to be substantiated to their respective Authorizing Officials (AO)’s and/or the ZT PfMO.

[For those unfamiliar, AO’s are typically senior leaders who are able to grant a Federal/DoD IT System the authority to go into a production environment, generally as part of the broader Risk Management Framework (RMF) that the Federal/DoD ecosystem uses to manage IT systems from a compliance perspective.]

This of course requires component and technical savvy AO’s along with competent technical staff in the ZT PfMO able to discern if the demonstrated capabilities indeed meet the requirements or are smoke and mirrors. This isn’t a unique challenge just to ZT, as the AO’s are often senior leaders/executives, often disconnected from the respective technologies being implemented by Mission/System Owners and often need to rely on the judgement and feedback from their respect Security Control Assessors (SCA)’s and Auditing staff to make risk informed decisions. It is also worth noting that the DoD ZT Strategy includes capabilities for Continuous Monitoring and Ongoing Authorization in the advanced tier of the pillar for Applications and Workloads. This is in line with the DoD’s push to move towards Continuous Authority to Operate (cATO) for systems with a mature cyber posture.

Resourcing and Acquisition will be absolutely key for the DoD achieving its ZT Strategy, both from a technology and services perspective, to ensure a cohesive approach that accounts for the DoD and DIB’s complex landscape, architectures and diverse mission needs.

Measurement and Metrics

The DoD ZT Strategy emphasizes the need for a metrics-based approach to measure and report on the DoD’s progress of meeting the four strategic ZT goals discussed above. This includes using SMART objectives associated with the goals to measure both component and DoD-wide progress. These will include both qualitative and quantitative metrics. Components will be responsible for contributing data to support the analysis of the effectiveness and progress for their respective systems in relation to the overarching strategy.

Summary

The strategy closes by reiterating that success of this effort will require coordinated efforts across the Joint Force and entire defense ecosystem, including the DIB. This requires, as they say, the entire department understanding and embracing the culture of ZT.

The DoD’S ZT Strategy represents a bold initiative to modernize DoD IT systems securely and adopt a more resilient security posture. That said, as we mentioned earlier, success or failure will depend on effective and widespread implementation across one of the most complex organizations and IT architectures in the world.

It will be a journey of many steps, and the DoD ZT Strategy represents one significant step forward on that journey, with many more that need to follow.

It is worth quoting some of the summary here for emphasis on how critical the DoD sees ZT to the future of not just the DoD but the nation.

Resources

Below is a list of useful books and additional resources for those looking to learn more about Zero Trust as well as the history of DoD/Federal IT systems that I recommend personally.

DoD Zero Trust Reference Architecture

DoD Zero Trust Placemats

DoD Zero Trust Capability Roadmap

Book: Zero Trust Networks: Building Secure Systems in Untrusted Networks

Book: Zero Trust Security: An Enterprise Guide

Federal Zero Trust GitHub Repo (I created): https://github.com/chughes757/FederalZeroTrust 

Book: Dark Territory: A Secret History of Cyber War

Book: A Vulnerable System: A History of Information Security in the Computer Age

For those looking for a more detailed deep dive on the various ZT capabilities laid out by the DoD ZT Strategy, you can find some of the diagrams below, which are from the appendix of the strategy itself. You should also explore the DoD Zero Trust Capability Roadmap linked above that lays out the desired capabilities, timelines and courses of action.