DOD Portfolio Office Uses Zero Trust to Fill Gaps in Cybersecurity Strategy

The Defense Department (DOD) is taking a step-by-step approach to zero trust with its Portfolio Management Office, which DOD OCIO established in January. The department expects to release a copy of this strategy with measurable outcomes in the next couple months, according to Randy Resnick, senior advisor of the Zero Trust Portfolio Management Office at DOD CIO/Cybersecurity.

DOD created the office after observing several opportunities in its cybersecurity strategy.

Resnick said money and resources had been thrown at cybersecurity for years, but ransomware attacks continued to happen. After experimenting with zero trust, DOD’s CIO office discovered not only could it significantly slow down the cyber incidents, but also it could have stopped them all together.

During FedInsider’s Action Steps to Zero Trust event, Resnick explained how the portfolio office will synchronize and bring all DOD cyber efforts together into a cohesive single “belly button” for the DOD CIO to make sense of what was happening with zero trust across the department.

“The office will keep everybody in sync so we’re not going to have this issue of non-interoperability and non-standard implementations of zero trust to prioritize and align all of the efforts in zero trust,” Resnick said. “We’re going to do this at an enterprise level. We believe the enterprise approach to zero trust is the answer for DOD rather than doing it project by project.”

Resnick described zero trust as a cybersecurity framework and a strategy, it’s not something you can buy. Implementing zero trust means creating a user inventory of who and what is allowed on the network.

“Each user and each device has to pass through two tests. They have to be authorized to get onto the network and have to be authenticated to get on the network — both have to happen. If one or the other doesn’t happen or fails, they aren’t allowed on the network,” Resnick said.

Resnick also discussed the difference between having the need to know and having the right to know when attempting to access data.

“Because just having the need to know doesn’t mean you have the right to know. You may have the need to know to get to a folder, but you may not have the right know to get into a specific file in that folder, so if you’re asking for access to a file both have to occur,” Resnick said.

Zero trust requires a list of checks, balances and tests throughout the entire process before granting data access.

“Once you sign out your session and you go back in five minutes later, the whole process continues from the beginning again. There is no assumption you are good for the day, you are only good for the session,” Resnick said. “Zero trust really tests the access rights to data, making sure the data is being protected from users that are not supposed to have any rights or access to that data.”

Resnick also discussed whether multi-factor authentication (MFA) will be a good component for zero trust in the future.

One concern with MFA is that it is only directed toward the user and completely ignores device security. Device security, such as software checks and patch updates, are critical to a robust cybersecurity strategy.

“The device has to be checked for hardware, firmware, software to make sure that nothing was modified or changed,” Resnick said. “The device has to be enrolled in the system to even know that it can get onto the system in the first place, otherwise you’re not allowed at all. It really is MFA connected to the big ‘yes’ for the device that will let you get onto the system. I’m a big proponent of MFA, but it has to come along with something else, otherwise you’re not really completing the picture here.”

DOD is working on a major plan that breaks down efforts across the zero-trust spectrum. Resnick wants the agency to break down all seven pillars of zero trust into actionable outcomes-based activity.

“We grouped each pillar into three chunks. We threw chunk one into fiscal 2023, we put chunk two into fiscal 2024 and put chunk three into fiscal 2025, and we felt it was a doable and achievable effort,” Resnick said. “So, we think we cracked the code on how to step through zero trust with measurable outcomes. It answers the question of where do I start? No one has been able to answer that question, and we believe we made great strides in trying to answer that question.”

A copy of this step-by-step process, which also measures desired outcomes, will be released in about six to eight weeks, he added.

“Staying under the present system we have today, I believe, is allowing the network to remain in a vulnerable state, and the faster we move to zero trust it becomes less vulnerable,” Resnick said.