Zero Trust Cybersecurity Plan This Year From DISA & NSA – Breaking Defense

DISA Director Vice Adm. Nancy Norton (center) cuts a ribbon last to celebrate a new DISA Global Operations Center West at Hill AFB in Utah.

WASHINGTON: Agencies from across the Defense Department are coming together to turn zero trust from buzzword to reality. Led by the Defense Information Systems Agency (DISA) and the National Security Agency (NSA), the workshops goal is to create a set of best practices to guide upgrades across DoD, said Vice Adm. Nancy Norton. Norton commands both DISA, the Pentagons tech support agency, and JHFQ-DoDIN, the DODs operational HQ for day-to-day cybersecurity.

The initial Zero Trust Reference Architecture will be out towards the end of this year, Norton told AFCEAs annual Army Signal conference this morning. While lots of companies are eager to sell products labeled zero trust, the architecture is intended to show Defense Department organizations how they can upgrade the technology they already have.

That means converting systems that now rely on a single line of defense to a layered defense based on zero trust. Most current information technology including countless aging systems in the Defense Department relies on perimeter security, where logging in means you can access all the data on a given device or even a whole network. But cybersecurity experts assume these days that the enemy will get through that perimeter or be already inside it with legitimate credentials, as Ed Snowden was at NSA. So zero trust constantly checks and re-checks each user and software process each time they try to access data, operating under the principle of deny by default. You dont get access unless you specifically prove you should have it.

The standard analogy is a castle with a moat. Perimeter security checks visitors at the drawbridge and then gives them free run of the castle, while zero trust posts guards at every chamber.

Thats a huge change, requiring a complex kit of analytic software, identification and verification systems, and bureaucratic policies. But the Pentagon cant afford to rip out its entire IT system and buy a replacement.

We very much understand that this is not going to be a wholesale, green-field approach to new network architecture, Norton said. Were not starting over again [buying] wholesale new equipment. We are taking whats out there today with our legacy equipment and incorporating new principles and new analytics and specific kinds of policies adding devices and automation into the architecture that we already have.

Since the plan is to add zero trust to existing systems, DISA and NSA need to understand how those systems work. Hence the workshops theyre conducting with other agencies, from roughly quarterly meetings of top officials down to more frequent conclaves at the working level.

The workshops are going really well and were getting lots of participation, Norton said. There is definitely a lot of interest in there.

The Armys plan to integrate its enterprise (homebase) and tactical (battlefield) networks.

Ambivalence in the ArmyThe Armys chief information officer, Lt. Gen. Bruce Crawford, has been particularly enthusiastic and ahead of the curve, Adm. Norton told an Army-heavy audience at AFCEA.

The Army very definitely has from the beginning said, we want to be part of zero trust, Norton said. Gen. Crawford was pushing, actually, DISA [to] move to a zero trust environment.

The Armys Network Enterprise Technology Command (NETCOM) is already working on a zero trust pilot project with Nortons JFHQ-DODIN, NETCOMs chief engineer told the AFCEA conference. A few months ago [US Cyber Command] asked each of the services to conduct a zero-trust pilot, Patrick Dedham said. We stood up a team thats actually trying to implement a zero-trust environment using a [Microsoft] 365 environment.

As with the DISA-led, DoD-wide effort, the NETCOM pilot is focused on the nitty-grity of implementing zero trust in existing technology, not some grand plan to rip everything out and replace it with shiny new stuff. As we go through that pilot and discover what does it really mean to implement zero trust principles on our network today, then thatll allow us to come up with a much better architecture, Dedham said. Zero trust is going to be a journeyRight now were very perimeter-security-based.

As hard as it is to implement zero trust in the Defense Departments enterprise networks which are largely based in the US with easy access to fiber optic landlines it might take even longer to implement in the tactical units that units deploy with, which largely depend on radio and which must work alongside foreign allies.

Maj. Gen. Peter Gallagher

We have to connect with coalition teammates, okay? We absolutely have to, said Maj. Gen. Peter Gallagher, who leads the network modernization team at Army Futures Command. We use terms like zero trust and identity management and all that stuff, [but in a combat zone] you cant necessarily confirm the security clearance of everyone youre sharing information with.

Theres always a fine line between security and operational effectiveness the ability to command and control and fight as a coalition, Gallagher said. Indeed, one of the biggest decisions the Army has made about its future tactical network is to keep as much data as possible unclassified because it streamlines information-sharing not just with allies but even with other US units.

Properly implemented, zero trust could make it easier to share data across a coalition, said Paul Puckett, who heads the Army CIOs nine-month-old Enterprise Cloud Management Office. Perimeter security often required you have to have one network for all the US users and another, separate and unequal, for non-US users. But with zero trust, you can have a single network that manages individual users and their access in a much more nuanced way. Every user, device, and piece of data gets labeled with metadata attributes that clearly describe its identity and what its allowed to connect with, he said, whether theyre a US person or not, whether they have clearances or not.

Gallagher is watching this work on zero trust with interest but considerable caution. Were going to have to follow where NETCOM goes, Gallagher told the conference, because weve got to get the enterprise set first, and do it right, before were going to be able to really capitalize on it in the tactical space.

Read more:
Zero Trust Cybersecurity Plan This Year From DISA & NSA - Breaking Defense