3 Takeaways From The DoD Zero-Trust Strategy and Roadmap

Following a series of executive orders aimed at bolstering the country’s cybersecurity posture over the last few years, the DoD is now aligning with much of the federal government in pursuing a more unified, standardized approach to cybersecurity.

While the DoD will continue to encourage its various components to stand up their own zero-trust offices (e.g., the Army confirmed in October 2022 that the service will establish its own zero-trust office), the goal of targeted zero-trust by FY27 ensures that all branches will adhere to a universal minimum standard of network security and best practices. The DoD can be expected to drive this initiative with a cultural focus on zero-trust training and adoption as well as strategic use of the Planning, Programming, Budgeting, and Execution (PPBE) process for resource allocation.

The roadmap describes how the Department is under “wide-scale and persistent attack from known and unknown malicious actors” who “often” breach the Pentagon’s “defensive perimeter.” The timeline for components to phase in zero-trust implementation — with the first deadline, logging all network traffic, arriving in Q4 of FY23 — illustrates the real urgency behind this initiative.

The roadmap even provides accelerated timelines for components to more quickly reach “advanced zero-trust.” While not yet a requirement, advanced zero-trust goes beyond targeted zero-trust and includes a greater focus on the “Respond” and “Recover” functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), with the goal of more effectively countering advanced persistent threats (APTs) and nation-state adversaries.

While the roadmap does name what capabilities the DoD must implement to achieve targeted zero-trust, it does not point to specific technologies or solutions. That’s where collaboration and partnership with commercial providers will play a critical role in helping the Department meet its goals.

The roadmap defines three courses of action for the Department to reach targeted zero-trust: establish a zero-trust “baseline,” partner with commercial providers to develop zero-trust compliant cloud environments, and utilize government-owned private cloud. There is a clear role for providers in each of these areas. Finally, integration across solutions and the different pillars of zero-trust, which creates greater visibility and the ability to organize a more effective response to threat actions, will be a critical area for industry partners to address as the Department is seeking help in this regard.