WASHINGTON — With the leak of hundreds of classified documents and a new zero trust strategy, the Pentagon became laser focused on getting the implementation of the security concept right this year.
Zero trust means rather than letting users who pass security checks have free reign over a network, there would be continual checks to make sure each user is allowed to access different information. Essentially, under zero trust, networks are always assumed to be compromised.
The Pentagon released a zero trust strategy and roadmap in 2022 that painted a concerning picture for the Defense Department’s information enterprise, which is “under wide-scale and persistent attack from known and unknown malicious actors,” and specifically China. The strategy outlined what it would take to get the department to both a “targeted” and “advanced” level of zero trust.
[This article is one of many in a series in which Breaking Defense reporters look back on the most significant (and entertaining) news stories of 2023 and look forward to what 2024 may hold.]
Defense Department Chief Information Officer John Sherman set the tone early in the year by telling Breaking Defense that a major focus over 2023 would be starting to implement zero trust with a full baseline version of the strategy by fiscal 2027.
And while it remains unclear if a full implementation of the security concept earlier could have prevented the leaking of national security documents in what became known as the Discord leaks, Sherman in May said, “it sure as heck would’ve made it a lot more likely” that DoD could’ve prevented it.
But the path to zero trust may not be so simple. In June, Randy Resnick, director of DoD’s zero trust portfolio management office, said his office was finding it “hard to orchestrate” each individual military service’s zero trust efforts into something cohesive. As a result, DoD started doing weekly “huddles” and quarterly meetings with the services and “communities of interest” in an effort to educate them on how to execute the vision outlined in DoD’s zero trust strategy.
The military services and DoD components submitted their own zero trust implementation plans by October, Signal Media reported. In September, Sherman said DoD was getting ready to review those plans and the assessments would be led by Resnick’s team, who’d make sure the plans align with the department’s fielding of targeted zero trust.
And industry seemed to align to DoD’s ambitions. Amy Gilliland, president of General Dynamics Information Technology, told Breaking Defense in June that the company was pouring more money towards areas DoD deemed critical, including zero trust.
Gilliland said GDIT was increasing its investment this year by 50 percent in areas that mirror DoD’s increased investments: zero trust, 5G, multi-cloud management, software factories, automation for IT operations and artificial intelligence and machine learning. The company, she said, was also working to increase investments in quantum computing and defensive cyber operations.
One major zero trust program hailed out of the Defense Information Systems Agency finally reached a milestone this year. Booz Allen Hamilton in July was awarded a production agreement worth up to $1.86 billion for Thunderdome, DISA’s zero trust network architecture program. The contract was a follow-on production award for the company as DISA transitioned Thunderdome from prototyping to production.
Overall, it seems that DoD is taking steps down the path toward true zero trust, but there’s a ways to go.