DOD Shares Details on Zero Trust Architecture Timeline

The Defense Department has completed the initial draft of its zero trust reference architecture, a set of guidelines meant to evolve the agency’s cybersecurity protocols beyond traditional perimeter defense operations. 

Joseph Brinker, chief of the Defense Information Systems Agency’s security enablers portfolio, told Nextgov in an email the initial draft was completed in October. It has since been released for staffing across the department as part of the DOD chief information officer’s “formal enterprise architecture content review, assessment, and approval process,” Brinker said. 

Final approval of the reference architect will come after all the input from this process is worked through. This process will likely be completed midway through quarter two in fiscal year 2021, Brinker said. 

DISA originally announced it would work on a zero trust reference architecture for the department in July during AFCEA International's annual Army Signal Conference. 

Vice Adm. Nancy Norton, director of DISA as well as commander of the Joint Force Headquarters DOD Information Network, said the COVID-19 pandemic accelerated a “cybersecurity paradigm shift” during an appearance at AFCEA International’s virtual 2020 TechNet Cyber event this week. 

“Our zero trust model assumes that our internal networks are as hostile as external networks,” Norton said, adding zero trust will enable DOD to focus on securing data such that even when networks are violated, information will remain protected. 

Michael Daniel, president and chief executive officer at the Cyber Threat Alliance, told Nextgov in a recent interview he’s “very interested” to see what comes out of the zero trust reference architecture. Daniel served as a special assistant to President Barack Obama and as the cybersecurity coordinator on the National Security Council staff before joining CTA in 2017.

“I will say that I think that I am a little concerned that zero trust is starting to take on the same sort of thing as blockchain where it's sort of being thrown out there as the solution to all of your problems,” Daniel said. “Like with so many things, zero trust is a tool. It will not solve all the problems, but certainly, it will get at a class of problems that have been typically difficult to solve.”

Daniel said zero trust is the right move, but the department likely faces organizational and process challenges as it looks to adopt the framework, more so than technology challenges.  

Norton said on Tuesday the department isn’t looking to acquire a “box of zero trust;” rather, DISA and DOD will look at the tools and configurations they have and figure out how to align them to create a cybersecurity posture consistent with zero trust principles. 

DISA released the first annual refresh of its strategic plan outlining a vision for the agency through 2022 earlier this week, and zero trust featured prominently in the plan’s new technology roadmap. The roadmap indicates DISA will define the zero trust reference architecture and develop a policy test and implement capability.