Pentagon releases zero trust plan to keep hackers out of its networks

Department of Defense CIO for Cybersecurity David McKeown records a message for the RSA conference on April 28, 2021. McKeown detailed new zero trust plans for defense agencies on Tuesday.

Department of Defense CIO for Cybersecurity David McKeown records a message for the RSA conference on April 28, 2021. McKeown detailed new zero trust plans for defense agencies on Tuesday. Lisa Ferdinando/DOD

Defense agencies are to implement zero-trust standards by 2027.

Defense agencies have until 2027 to convert their networks to architectures that continually check to make sure no one’s accessing data they shouldn’t. 

This shift to zero trust principles is at the core of the Pentagon’s new five-year plan to harden its information systems against cyberattacks. The strategy and roadmap were released on Tuesday.

To get there, agencies can improve their existing environments, adopt a commercial cloud that already meets DOD’s zero trust specifications or copy a prototype of a private cloud, David McKeown, the Pentagon’s acting principal deputy chief information officer, told reporters. And to help enforce it, the DOD chief information office will track their spending.

“We will hold them accountable by asking them to build a plan,” McKeown said. “And as a part of that capability planning guidance…they have to come back to us and show us in their budgets how much they're spending on zero trust and what they're getting for that.”

McKeown said implementation shouldn't change the user experience much, other than extra authentication steps to make sure the right people are accessing information.

“We may be doing data tagging, and the access to specific pieces of data may require additional authentication. But we would prefer that there be very low friction as the user goes about their daily business,” he said.

But part of getting to a universal zero trust posture is managing identity, credentialing and access, or ICAM. 

“Not everybody in the department is on a federated ICAM solution, which we can check credentials against. That's going to be a starting point,” he said, adding that there will likely be some education about zero trust concepts.

DOD plans to track implementation and product performance across its 10,000 information systems, McKeown said, looking at questions like, “Was everything detected? How fast could we respond? How fast can we remediate in the environment?” 

Cyber testing will continue as the system is built, and after using automated tools. Additionally, network updates are expected to be made during the zero trust implementation. 

The Defense Department’s increased reliance and embrace of commercial cloud infrastructure has garnered criticisms related to cybersecurity. But McKeown said zero trust has been “a prominent discussion in the room about the vendors’ capabilities and whether or not they'd be able to deliver,” whether it’s everyday computers, weapons or industrial control systems. 

As a first step on a multi-year journey, DOD is going to start piloting zero trust principles with cloud architecture. But success is not a given. 

“Everybody's starting to think about these zero trust concepts and bake them into the solutions that we're using here in the department,” he said. 

“It’s uncertain whether or not it will actually pan out. On paper, it looks great. From a technical review point of view, it's achievable, according to the cloud vendor, as well as our own analysis,” McKeown said. 

The unknown is whether it will hold up to offensive cyberattacks designed to access the network. Test results will be key “to see whether or not we could actually get the effects of zero trust that we want to get out of those clouds,” Randy Resnick, the director of DOD’s zero trust office, told reporters.