Defense Leads Balance Legacy, Innovation in Move to Zero Trust

Defense Department components are navigating the landscape of zero trust implementation by balancing the urgent need for enhanced protection with the realities of legacy systems and rapid technological evolution officials said Thursday at the Defense IT Summit in Arlington, Virginia.

National Geospatial Agency (NGA) Deputy CISO for Management and Strategy and Cybersecurity Deputy Director, Cybersecurity Office Monica Montgomery said that her agency is ingraining cybersecurity into enterprise strategy to move zero trust forward.

“We’re really trying to drive a culture change so that cybersecurity is baked in. We’re not in a corner. Nobody puts baby in the corner,” Montgomery said. “We really want to embed that in our environment, in our day-to-day operations. That’s where we need to be.”

Principal Director for Cybersecurity and acting DOD CISO Gurpreet Bhatia added that the national security ecosystem requires zero-trust architectures because of the environment’s decentralized nature, and the increasing sophistication of attacks makes cybersecurity increasingly complex. DOD’s Zero Trust Portfolio Management Office works regularly with agency components to make implementation easier across DOD, Bhatia said.

“The goal really is about being able to deny adversaries access and swiftly react to threats,” said Bhatia. “The goal was to really kind of say, ‘hey, we need to do this in a holistic manner.’ And we are now being able to gauge that through folks [at defense components] and all the components submitting implementation plans on a yearly basis.”

The Department of the Navy’s Program Executive Officer for Digital and Enterprise Services Louis Koplin said that the department’s zero trust success stories — like its Flank Speed implementation — demonstrate that zero trust can enhance both operational resilience and user experience. He added that zero trust is a journey, not a destination, requiring an incremental and agile approach.

“We were able to demonstrate that zero trust is that rare technological shift where you get better operational resilience, cybersecurity and better user experience and productivity,” said Koplin. “That was a very much a win-win.”

Leveraging existing systems is critical to managing zero trust efficiently and responsibly, said Maximus Defense Market Cybersecurity Lead Kynan Carver.

“Zero trust actually lends itself to discovering efficiencies,” Carver noted, advocating for repurposing existing assets to zero trust rather than a “rip and replace” approach.

Agencies need to continuously innovate to bolster cybersecurity through zero trust, the officials said. Bhatia called for greater collaboration with industry to integrate cutting-edge technologies while maintaining modularity and resilience for the mission. He stressed the importance of aligning acquisition processes with evolving cybersecurity needs, ensuring that defense systems can adapt to future threats.

NGA is using gamification to enhance its zero-trust implementation and security posture, Montgomery said. The agency’s Program Integration Compliance Assessment (PICA) tool provides real-time feedback, she said, fostering a culture of continuous improvement. PICA, additionally, integrates with existing systems to provide a comprehensive view of compliance and risk management.

“No one wants to see a red box [or that] they are not compliant,” Montgomery said. “They try very hard to make that show progress towards compliance, even though we’re trying to say this isn’t a compliance thing.”

Innovation and collaboration are critical to moving zero trust and cybersecurity forward throughout DOD, Bhatia added. Modularity of systems and innovation are key to resilience, he added.

“It’s an incredibly complex ecosystem – with our industrial base, with our allies and our own enterprise. Our enterprise also in the U.S. is the federal government and other state and local governments that we have to collaborate with,” explained Bhatia. “We’re thinking through that ecosystem now … to get to a place where we can actually start to look at technology as something that is in the back of our minds, and we are able to swap out things as we need to, but [we need to] have systems that resilient enough that they will survive the test of time as well.”