Zero trust guide coming to DOD in 2021
The Defense Information Systems Agency plans to release a zero-trust reference guide next year, a step in moving Department of Defense networks to a new security configuration.
The reference guide will provide a blueprint for defense agencies and IT shops to transition networks to a model that treats every user with the same heightened level of security. In essence, the network literally gives zero trust to its users.
The concept is not new to the DOD, with many similar compartmentalized configurations already in place for certain sensitive information. But most enterprise network architectures still rely on perimeter defense, like using strong passwords.
The reference guide is the product of an ongoing collaboration between DISA, the National Security Agency, U.S. Cyber Command and the private sector. DISA Director Vice Adm. Nancy Norton first mentioned the reference guide in early December at AFCEA’s Tech Net Cyber conference. NSA also confirmed the news to FedScoop.
“NSA has been working jointly with Defense Information Systems Agency and U.S. Cyber Command on the development of Zero Trust as the new cybersecurity framework to prevent, detect, respond and recover against cyberattacks to critical systems,” Neal Ziring, technical director at NSA’s Cybersecurity Directorate, told FedScoop in an email.
Rolling out zero trust across the military will be different than other cyber initiatives, DOD leaders have said. It’s a wholesale shift in the architecture of DOD’s networks with the changes that must happen over time, Norton said.
“It’s not a rollout like it would be for most programs because zero trust is not a program,” she said, adding that the reference guide will provide “a way to think about the tools we are using.”
Trusted public-private partnership
DreamPort, a private cybersecurity lab that is run by the Maryland Innovation and Security Institute (MISI), played a critical role in the collaborations between agencies and the private sector in developing the reference guide. The organization helped set up a zero-trust lab out of its workplace in Columbia, Md. The lab was set up through a partnership with NSA, Cyber Command and other security-focused agencies.
DreamPort said it helped get the government new technology and software to test and provided a place for vendors and government officials to meet “without the red tape,” Armando Seay, co-founder of MISI, told FedScoop in an email.
“The lab was and is an ever-evolving foundation for perpetual experimentation, evaluation and proof of viability prototyping,” Seay said.
The collaborations included “thought leaders” and early pioneers in the zero-trust movement, he added. The lab will continue to run as a place to collaborate in an unclassified space.
“The ability to engage with our stakeholders at the lowest possible classification level allows for broader engagements across the community and an increased understanding of cybersecurity as it evolves,” Ziring said. “We have a separate testbed with DISA that will host any anticipated classified information.”
This story was featured in FedScoop Special Report: Zero Trust: Evolving Government Cybersecurity - A FedScoop Special Report