The Department of Defense (DoD) is well on its way to implementing an enterprise-wide zero trust architecture following review of implementation plans from DoD organizations, the department’s zero trust lead said today, although the process has not been without its bumps in the road.
During the Visualyze Zero Trust Security Summit hosted by MeriTalk and Gigamon, Randy Resnick, chief of the DoD Zero Trust Office, shared the department’s current progress in reaching its fiscal year (FY) 2027 zero trust goal.
In late 2022, DoD released its zero trust strategy and roadmap outlining how the agency plans to fully implement a department-wide zero trust cybersecurity framework by FY 2027. As part of the strategy, the DoD Chief Information Officer’s (CIO) office asked DoD components to submit their own individual zero trust execution plans.
That request yielded 39 implementation plans from the components. The Zero Trust Office evaluated those plans between October and the holiday period and then engaged with components to understand where each stood in implementing the zero trust architecture.
“So, we have challenges,” Resnick said. “There are some themes not only in the two years that we have been in existence, but [what] a lot of people saw in the implementation plans.”
One of the most significant challenge areas is in policy and governance, and Resnick said that led to at least some components questioning the Zero Trust Office’s authority.
“We actually had some of the components telling us that the Zero Trust Portfolio Office has no direct charging to do anything [it] needs to do so why should [they] listen to us,” Resnick said.
“We took that seriously because that’s our very existence or leadership,” he said. “And we decided to write a directive that directly is now in coordination and in the signature process within DoD CIO. So, any question about our authority to oversee zero trust for the DoD will be eliminated.”
Another key challenge Resnick and his team identified was in cultural awareness. Component leaders, especially, were very much set in their ways and had no interest in incorporating new security protocols. However, he keyed on continuing learning and communication as solutions to this problem.
“The [implementation plans] are at different levels of sophistication,” Resnick said. “We’re not looking for precision right now. We’re looking for an understanding of what [the components] do in version 1.0 to deliver zero trust. We’ll get more sophisticated [with] version 2.0.”
DoD components have until October 2024 to submit version 2.0 of the implementation plans, revised to meet the standards set forth by the department.
While awaiting implementation plans 2.0 the DoD will work with the military services and the components to solve the challenges they raised during the review process and in various implementation plans, including policy and governance, GAP analysis, unverified zero trust solutions, cultural awareness and understanding, and funding — just to name a few.
The department expects to brief Congress on version 1.0 of the implementation plans by the end of March.