New Defense Zero Trust Strategy Has Many FY 2023 Objectives

The Department of Defense (DoD) recently released the public version of its Zero Trust Strategy and Zero Trust Capability Execution Roadmap. The plan builds upon the Pentagon’s previously released Zero Trust Reference Architecture and sets the military services and Defense Department agencies on a path towards fully implementing zero trust by the end of fiscal year (FY) 2027. (By comparison, OMB is pushing federal civilian agencies to deploy zero trust by the end of FY 2024.)

DoD ZT Strategy Goals and FY 2023 Objectives

The DoD are built around the seven DoD ZT Pillars found in the ZT Reference Architecture (RA): Devices, Applications and Workload, Data, Network & Environment, Automation and Orchestration, and Visibility and Analytics. (See Goal 2 below.)

The following four goals span the lifecycle of the strategy, i.e., through FY 2027, while the objectives highlighted below are selected because they focus on the near-term, FY 2023.

Goal 1. Zero Trust Cultural Adoption. A Zero Trust security framework and mindset that guides the design, development, integration, and deployment of information technology across the DoD Zero Trust Ecosystem.

FY 2023 Objectives include:

• Commitment: Transform DoD cybersecurity to a ZT framework that is universally understood, accepted, and embraced by DoD Components.
• Outreach: Conduct a comprehensive ZT outreach initiative to inform and share data from ZT efforts and to define standards, minimize duplications, emphasize successes, and to facilitate an open exchange of information sharing with DoD, federal, and academia partners.
• Awareness: Implement internal and external communication campaigns at all levels, including with the DIB and foreign allies as appropriate, to include Department-wide advocacy, awareness, and support for the implementation of the DoD ZT strategy goals and objectives.

Goal 2. DoD Information Systems Secured & Defended. DoD cybersecurity practices incorporate and operationalize Zero Trust to achieve enterprise resilience in DoD information systems.

FY 2023 Objectives across the seven ZT Pillars include:

• User: Inventory Users; Develop an Organizational Multi-Factor Authentication and Identity Provider (MFA/IDP); Implement User & Entity Behavior Activity (UEBA) Tooling; Implement Least Privileged Access – Deny User by Default Policy; Implement Continuous Authentication – Single Authentication.
• Devices: Perform Device Health Tool Gap Analysis; Integrate Next Gen. AV Tools with Comply to Connect (C2C); Remote Access – Managed and Limited BYOD and IOT Support; Unified Endpoint Management (UEM) & Mobile Device Management (MDM) – Enterprise Device Management (Pt. 1).
• Applications and Workload: Software Risk Management – Vulnerability Management Program (Pt. 1); Resource Authorization & Integration – SDC Resource Authorization (Pt. 1).
• Data: Data Catalog Risk Alignment – Data Analysis; DOD Enterprise Data Governance – Define Data Tagging Standards, Interoperability Standards, Develop Software Defined Storage (SDS) Policy; Data Monitoring and Sensing – DLP Enforcement Point Logging and Analysis, DRM Enforcement Point Logging and Analysis.
• Network & Environment: Data Flow Mapping – Define Granular Control Access Rules and Policies, (Pt. 1); Macro Segmentation – Datacenter Macro Segmentation.
• Automation and Orchestration: Policy Decision Point (PDP) & Policy Orchestration – Policy Inventory & Development; Critical Process Automation – Task Automation Analysis; Security Orchestration Automation & Response (SOAR) – Response Automation Analysis; API Standardization – Tool Compliance Analysis; Standardized API Calls & Schemas (Pt. 1); Security Operation Center (SOC) & Incident Response (IR) – Workflow Enrichment (Pt. 1).
• Visibility and Analytics: Log All Traffic (Network, Data, Apps, Users) – Scale Considerations.

Goal 3. Technology Acceleration. Zero Trust-based technologies deploy at a pace equal to or exceeding industry advancements to remain ahead of the changing threat environment.

FY 2023 Objectives include:

• Architecture: Align, update, and maintain agile-based reference architectures and research, development, and engineering efforts with ZT architecture principles.

Goal 4. Zero Trust Enablement. DoD Zero Trust execution integrates with Department-level and Component-level processes resulting in seamless and coordinated ZT execution.

FY 2023 Objectives include:

• Policy: Establish a unified policy and other guidance to integrate the latest tested and proven cybersecurity best practices, standardize management of requirements, and share best practices.
• Planning: Incorporate ZT requirements into DoD-wide and Component-specific strategies, policies, frameworks, and directives, and contracts.
• Programming: Align DoD Future Years Defense Program (FYDP) to adequately support execution of the ZT Implementation Roadmap.
• Acquisition: Develop a plan to acquire and deploy solutions and technologies that advance ZT.

Zero Trust Will Be Impacting Future Budgets

The DoD Zero Trust (ZT) Strategy includes directives to Defense Components to follow the DoD CIO's Capability Programming Guidance (CPG) and the Planning, Programming, Budgeting and Execution (PPBE) process to shape their budgets in ways necessary to execute on ZT. In addition, “DoD CIO will work with Components to address any Component-level resourcing shortfalls, each fiscal year… Additionally, DoD CIO will work with Components to submit requests for new funding to Congressional appropriators through the regular DoD resourcing processes.” In July, OMB directed civilian agency to place ZT among the highest budget priorities for their FY 2024 IT cybersecurity budgets.