The Defense Department, after months of planning and preparation, has begun the execution of its plans to move to a zero-trust cybersecurity framework. The DoD’s goal was to complete the transition by the end of the fiscal year 2027, stated multiple senior Pentagon IT officials.
“We’ve done a lot of planning, we’ve tried to educate the force, we’ve gotten the plans all submitted. And now, we’ve got to move into execution,” Deputy CIO for Cybersecurity Dave McKeown said.
What is Zero-Trust?
According to the Cybersecurity & Infrastructure Security Agency, “zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
A zero-trust model is a concept that assumes that the networks within are already compromised by adversaries. Once compromised, the network requires constant monitoring and authentication by users and users’ devices.
The goal through monitoring and authenticating, is to prevent unauthorized access to data and services and make access control enforcement as granular as possible.
“Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons,” CISA outlines in it’s explanation of the model. “This provides the visibility needed to support the development, implementation, enforcement, and evolution of security policies. More fundamentally, zero trust may require a change in an organization’s philosophy and culture around cybersecurity.”
Why Now?
The DoD first released details about its Zero-Trust framework in 2022, outlining what the department considered “target levels’ of zero trust, which include a minimum set of 91 capability outcomes that agencies and components must meet to secure and protect their networks.
The Pentagon set a goal of September 30, 2027, to reach those “target levels”.
As of April 4, the IT officials at the DoD report that they are on track to meet this deadline.
“We’re clearly in the implementation phase,” Dave McKeown, DOD chief information security officer and deputy chief information officer for cybersecurity, said Wednesday at the Defense Acquisition University’s Zero Trust Symposium. “We’ve done a lot of planning, we’ve tried to educate the force, we’ve gotten the plans all submitted. And now, we’ve got to move into execution.”