Defense Security Chief Teases 5-Year Zero Trust Strategy
Key tools within the strategy include software bills of materials and data analytics.
![image of DOD Deputy CIO for Cybersecurity David McKeown speaks with panelists including Federal CISO Chris DeRusha at Billington Cybersecurity Summit in Washington, DC, September 7, 2022](https://govciomedia.com/wp-content/uploads/2023/10/1000x650_defense_security_chief_teases_5_year_zero_trust_strategy.jpg?fit=max&auto=format&cs=adobergb1998&auto=compress)
The Pentagon will soon release a comprehensive strategy on zero trust that defines capabilities for the security framework to be implemented over the next five years, the Pentagon’s security chief said.
“We’re taking an aggressive stance. Our funding is in alignment with this — that we want to be at targeted zero trust for the department by the end of fiscal year 2027,” said Defense Department Deputy CIO for Cybersecurity David McKeown at the Billington Cybersecurity Summit in Washington, DC, Wednesday. “It is very comprehensive. It’s our north star.”
As part of the strategy coordinated with the newly pointed head of DOD’s Zero Trust Portfolio Management Office head Randy Resnick, McKeown highlighted that 90 capabilities are going to define what he called “targeted zero trust.” An additional 62 capabilities will define more “advanced zero trust” for applicability on critical national security systems.
Three methods, he added, will guide successful implementation: uplifting the current environment, implementing zero trust cloud on premises and partnering with cloud providers to examine current FedRAMP offerings.
Key tools to this effort — and also key for partnerships — will include creating software bills of materials (SBOMs) and acquiring tools to ingest that data.
“This is an area we definitely need help to reform,” McKeown said. “Both SolarWinds and Log4j are examples of software that we willingly accepted into our environment. The Log4j problem was even more difficult because we had this reliance on all software vendors. … We didn’t have a way of quickly enumerating which software had it and patch it and remove it from the network.”
“The Log4j vulnerability was a feature, not a bug,” Federal CISO Chris DeRusha said.
As agencies develop their zero trust strategies as with DOD, DeRusha said key tools in this process will complement other strategies around the customer experience and the workforce.
“We have to get better at customer experience and user experience when rolling out security solutions,” DeRusha said. “[SBOMs] are an enabling tool — not a silver bullet. … They can help get the information folks need to do better vulnerability management.”
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
IRS CX Efforts Come With a New Acquisition Office
The agency is using Inflation Reduction Act funds to transform the taxpayer experience through digital tools and technology.
3m read -
How Health Care Leaders Should Plan for Building Cyber Resiliency
Policy leaders recommend health care organizations implement tools like encryption and multi-factor authentication to protect their data.
4m read -
White House Gets New Deputy National Cyber Director
Harry Wingo previously worked as a professor at the National Defense University's College of Information and Cyberspace.
2m read -
CrowdStrike Outage Puts Spotlight on Cyber Resiliency, Continuous Assessments
Cybersecurity experts say comprehensive strategies protect against vulnerabilities amid system interruptions and outages.
4m read