DISA to Release Zero-Trust Model This Year


Vice Adm. Nancy Norton said the Defense Department must take a data-centric approach to protecting its networks.

The Defense Information Systems Agency is moving to a new cybersecurity framework, according to a DISA press release. Vice Adm. Nancy Norton outlined the “zero trust” model July 15. 

Addressing the AFCEA Army Signal conference, Norton described the new model as a way to help prevent data breaches by switching from a network-centric to a data-centric security model. During a question and answer session, she said she expects an initial reference architecture for the new model to come out later this year. 

“Zero trust is designed to ensure the people and devices accessing our critical infrastructure, resources and information are the ones who are supposed to be accessing them,” Norton said. The framework moves security standards beyond the traditional moat-and-castle format, which focuses on hardening the network perimeter and managing entry. However, this model remains vulnerable to adversaries because once they cross the “moat,” they can move freely throughout the “castle.” 

“This uses the fundamental premise that denies all and allows by exception rather than allowing all and denying by exception,” Norton said in her AFCEA address. 

According to Norton’s explanation, this is one of the three key principles of zero trust: never trust, always verify. The second is to assume breach, which bucks the castle-and-moat assumption that everything inside the perimeter is safe. The third element of zero trust is to provide explicit verification for access to the network and data. 

Norton added that implementing zero trust in classified networks is imperative, even though perimeters for those networks are already stronger than average. 

“The moat might be stronger, but the castle is that much more important,” Norton said. “So we can’t let our guard down, we have to have the same kind of defenses. The zero trust principles are even more important when we get to our classified networks.”

Zero trust will be able to work with both legacy systems and new technologies, according to Norton. The reference architecture will provide a roadmap for how to apply new systems to both old equipment and new technologies, she said. 

The National Institute of Standards and Technology updated a report in February explaining the need for zero trust in government. It described the push for zero trust as a response to workforce trends including increased work from home practices as well as increased use of cloud technology. 

“Zero trust focus[es] on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource,” the report reads. 

The report came even before coronavirus sent vast majorities of the workforce home, and some experts argue the pandemic clearly demonstrates the need for agency leaders to start moving to zero trust.