DOD zero-trust strategy coming this year, CIO says

John Sherman, acting CIO, said he is working on a strategy for the DOD's move to zero trust, a security model with access checks at every step of the network.
John Sherman presents a keynote address from the Pentagon Briefing Room for the Cyber Beacon virtual event, Dec. 3, 2020. (DoD photo by Marvin Lynchard)

The Department of Defense plans to release a zero-trust architecture strategy 2021, acting CIO John Sherman announced Thursday, adding to a growing list of new zero-trust-related documents to come this year from the DOD.

While few details were shared about the nature of the strategy, Sherman stressed that reaching a zero-trust framework to improve the cybersecurity of DOD networks is pivotal. A strategy could set in motion changes to how the department establishes its security posture by organizing networks around the zero-trust principles of segmenting a network and limiting users’ access to only the data they need.

“I think we are at one of these inflection points here,” Sherman said during the Billington  CyberSecurity Defense Summit. “Our current approaches are not going to take us into the future here.”

Zero trust is a security architecture that treats every user like an outsider — giving them literally zero trust and limiting their access to roam about a network to minimize damage from an inevitable breach of a system’s perimeter. DOD officials have also teased a reference architecture guide being produced by the Defense Information Systems Agency and the National Security Agency.


The recent SolarWinds breach, where Russian hackers infiltrated networks through the software supply chain, has given government IT officials new motivation to shift to a zero-trust framework. It’s unclear if zero trust would have stopped the Russians’ hack of several government networks and thousands of private companies, but within a zero-trust model, they would not be able to move laterally to access data or be able to hide for long (or so security specialists hope).

While DOD already has some “defense in depth” measures in place, Sherman was emphatic that fully implementing the technical, cultural and strategic changes are security imperatives.

“We have robust security…we have a lot of the pieces here,” he said.

Sherman added that by the time DOD fully implements zero trust, it may already have a new moniker. But it’s the guiding principles of segmenting a network and limiting movement internally that are critical. The strategy, which should be finalized this year, is likely to address technical and practical issues involved in zero trust based on how much Sherman emphasized the change in user and administrator culture for zero trust to work.

“This is not about technology, it’s about strategy,” he said.

Latest Podcasts