CISA, DOD Tackle Next Steps in Zero-Trust Implementation

The Cybersecurity and Infrastructure Security Agency (CISA) and the Defense Department (DOD) are progressing toward implementing zero trust, agency officials said at GovCIO Media & Research’s CyberScape Summit Thursday.

DOD’s Zero Trust Portfolio Management Office has played an integral role in overseeing the agency-wide effort of zero trust maturity by the end of 2027. Office Director Randy Resnick said it has successfully evaluated 39 implementation plans from DOD since October 2023 and, after engaging one-on-one with all the components, has approved each one.

“They have the strategy, they have the plan, they have schedules. It’s understandable and was accepted by our team and that’s what we’re going to start tracking,” said Resnick. “It’s not a one-and-done. In October, we’re going to have a version 2.0 of the implementation plan. I’m seeing an iterative refinement of more detail, with more definition of exactly what’s going to be implemented in order to achieve target zero trust.”

Implementing zero trust for a federal agency as large as DOD and across multiple classification environments is a feat other agencies can learn from. During the summit, Resnick noted there’s not just one way to implement zero trust.

“You can improve where you have existing in the ground, we call that course of action one. You could do commercial cloud, which we’re engaging in with the [Joint Warfighting Cloud Capability] vendors right now to see whether or not they could do zero trust in their clouds — and that’s aggressively being worked. And of course, action three would be on preliminary private cloud, which we are aware a number of companies are doing on their own,” said Resnick.

CISA CIO Robert Costello noted his agency’s zero trust journey has been complicated, but there will soon be more movement toward full implementation.

“About 10,000 people will be moving over the next few months to a solution that really hits all five pillars of zero trust. It’s going to be a pretty rough migration to do this because we’re coming from systems in some cases that don’t need a lot of the zero trust guidance,” said Costello. “We’re migrating to a greenfield solution, which is pretty rare in government. Often we’re building on to a bunch of other solutions. We’re really proud of that.”

Costello and Resnick cited financial hurdles to implementation, but the main obstacle is hiring people well-versed in zero trust. Resnick said the number of subject matter experts who truly understand it is very low.

“If you really count the number of people that really understand zero trust today, it is minuscule compared to the requirement,” said Resnick. “There is a voracious appetite to grab people that understand zero trust because they’re being put into place immediately on helping to implement and think through how to solve these problems. From an education and training sort of aspect, there’s a deficit.”

Costello agreed that more emphasis needs to be placed on hiring a workforce that is knowledgeable about zero trust.

“Human resources is an area where we’re all fighting for the same people, and good people don’t often stay in the same place as long as they used to,” said Costello. “On the civilian side, we need to ensure that CIOs, if they are not a business person, that they have people on their staff that can explain the business impact, particularly to agency leaders.”

Industry experts believe shifting the workforce culture to adopt zero-trust principles is also essential to the migration process.

Cisco National Security and Government Senior Strategist for Cybersecurity Andy Stewart suggested agencies should start with what they already own. He said that organizations don’t have to always find an expensive and in-depth approach, but should consider integrating the capabilities they already have on hand.

“One large DOD combatant commander that we support had a zero-trust pilot. They didn’t buy anything new. They actually focused on getting the policy right. But to do that, they had to again pull the people together,” said Stewart. “The security team and the infrastructure team started talking about what capabilities they had, what policies they needed to put in place and how their capabilities could work together, and they were very successful because everyone agreed upon the mission.”

Resnick said DOD’s functional management offices are playing a significant role in helping the agency retrain the workforce and accelerate zero trust.

“Each one of those 41 components have now set up or they’re about to set up a zero trust functional management office of a couple of people that are working full time that are focused only on their component in the acceleration of zero trust,” Resnick said. “That helps because now they could focus on training. You have to upskill the workforce. There’s just not enough people that truly understand all the dimensions of zero trust.”

Resnick also called on the vendor community to offer zero trust classes to servicemembers.

“There needs to be specialized classes, whether it’s from a company or whether it’s from an association,” said Resnick. “It needs to be really from a professional point of view or polished point of view, and so we’re looking for industry to start coming up with some of the zero-trust training classes so that we can get our servicemembers up to snuff.”