DOD's Zero Trust Initiative is an Unique 'Unity of Effort,' Air Force CIO Says

The Air Force is developing roadmaps to help guide its implementation of the Pentagon’s zero trust strategy and is working to craft guidance around the use of generative artificial intelligence tools to further promote enhanced cybersecurity practices, the military branch’s chief information officer said during a Billington Cybersecurity webinar on Thursday. 

Lauren Knausenberger, the Air Force’s CIO, said that the Department of Defense’s move toward zero trust architecture—coupled with the governmentwide push to adopt the security framework across agencies—is “a unity of effort unlike [anything] I have seen in my tenure.”

“We are going to spend billions of dollars on this, and we have done the work to make sure that it is going to stick,” she added. “And, actually, I have not been this excited about an effort in the DOD in a really long time, because I am seeing the passion from the engineers, I'm seeing the industry just really show up and give great insight and people are raring to go to solve this problem.”

The Pentagon released its zero trust strategy and roadmap last November, which it said “will reduce the attack surface, enable risk management and effective data-sharing in partnership environments and quickly contain and remediate adversary activities.” DOD plans to have its framework in place across its component agencies by fiscal year 2027. 

The Air Force released its own zero trust implementation roadmap in February, alongside another roadmap to guide the branch’s implementation of the Pentagon’s identity, credential and access management—or ICAM—strategy.

Knausenberger said that, when it comes to zero trust, the Air Force “helped to create the DOD strategy, we are fully bought into it, we are following the DOD strategy and our roadmap flows from that strategy.” She added that crafting the Air Force’s implementation roadmap involved the work of hundreds of people within the branch and also from industry partners. 

According to Knausenberger, the Air Force’s roadmap—which she said “really keeps us honest”—follows “the different parts of the DOD strategy for reporting purposes.” She cited, in part, visibility and analytics, network and environment, data and automation and orchestration as “kind of those pillars that we report and stay unified on at the DOD strategic level.”

Knausenberger said both the zero trust and ICAM roadmaps have allowed the Air Force to go through “each of the threads” of DOD’s cyber strategies and determine “exactly when we expect to hit certain things.” She added that the branch plans to publish more roadmaps moving forward—”about one per month, or every other month as we go into the summer.”

This includes an upcoming roadmap on software-defined wide area networks, which she said “is huge for zero trust.”

“Once I know something about you and the data, I can also dynamically route that data all around the world to all of the places that might need it,” she noted. “That's a huge piece of this, too. So it’s giving more and more granularity to exactly what we're doing, so people that want to help us can help us.” 

Knausenberger said that the broader DOD zero trust strategy is also “a forcing function for moving things to the cloud,” particularly when it comes to the Pentagon’s departmentwide cloud modernization efforts. 

Last year, DOD awarded four tech companies—Amazon Web Services, Google, Oracle and Microsoft—contracts under the $9 billion Joint Warfighting Cloud Capability contract, or JWCC, to deliver enhanced cloud capabilities to the U.S. military. Knausenberger said that DOD and its components are “going all in on JWCC,” adding that the Air Force, in particular, has “suggested that we focus our first dollars and our first energy on secret and top secret” classifications within the modernized cloud environment. 

“The reason for that is because that is where the [Joint All-Domain Command and Control] magic happens,” Knausenberger said, referring to DOD’s ongoing effort to enhance communication and interoperability between its various branches operating across air, land, sea and cyberspace. She noted that DOD’s components are “not at the level of maturity that we'd like to be by ourselves” and added that “as we're maturing out the secret and top secret capabilities, let's do it together.”

As DOD and the Air Force move to embrace more secure cyber practices, the branch is also working to draft policies around the use of generative AI tools and technologies. Knausenberger referenced, in part, the banking industry’s crackdown on the use of AI chatbot ChatGPT over concerns about the security of proprietary information. She said that similar instances of sensitive information being shared with ChatGPT “can absolutely happen in the DOD.”

“We're actually working on getting guidance out, just guardrails for reminding people things that they already know, like don't share [controlled unclassified information] with unclassified products, whether it's ChatGPT or something else,” Knausenberger said. “If you share it with ChatGPT, the danger of sharing that just goes astronomically higher, because it is so powerful.”

Knausenberger said that DOD is also racing to craft policy around the use of tools like ChatGPT, but added that the conversation around generative AI and its capabilities shouldn’t be entirely centered on concerns about its adoption and use. 

“I lean on the side of opportunity for two reasons,” Knausenberger said. "One, it is an incredibly powerful capability. And the other is because if we only see this as a threat and we focus on mitigating the threat, it will be more of a threat because our adversaries are focused on the opportunity and we're only focused on the defense. And so, I think, for many reasons, we need to seize the opportunity. We need to do it safely.”