Defense Security Chief Teases 5-Year Zero Trust Strategy

The Pentagon will soon release a comprehensive strategy on zero trust that defines capabilities for the security framework to be implemented over the next five years, the Pentagon’s security chief said.

“We’re taking an aggressive stance. Our funding is in alignment with this — that we want to be at targeted zero trust for the department by the end of fiscal year 2027,” said Defense Department Deputy CIO for Cybersecurity David McKeown at the Billington Cybersecurity Summit in Washington, DC, Wednesday. “It is very comprehensive. It’s our north star.”

As part of the strategy coordinated with the newly pointed head of DOD’s Zero Trust Portfolio Management Office head Randy Resnick, McKeown highlighted that 90 capabilities are going to define what he called “targeted zero trust.” An additional 62 capabilities will define more “advanced zero trust” for applicability on critical national security systems.

Three methods, he added, will guide successful implementation: uplifting the current environment, implementing zero trust cloud on premises and partnering with cloud providers to examine current FedRAMP offerings.

Key tools to this effort — and also key for partnerships — will include creating software bills of materials (SBOMs) and acquiring tools to ingest that data.

“This is an area we definitely need help to reform,” McKeown said. “Both SolarWinds and Log4j are examples of software that we willingly accepted into our environment. The Log4j problem was even more difficult because we had this reliance on all software vendors. … We didn’t have a way of quickly enumerating which software had it and patch it and remove it from the network.”

“The Log4j vulnerability was a feature, not a bug,” Federal CISO Chris DeRusha said.

As agencies develop their zero trust strategies as with DOD, DeRusha said key tools in this process will complement other strategies around the customer experience and the workforce.

“We have to get better at customer experience and user experience when rolling out security solutions,” DeRusha said. “[SBOMs] are an enabling tool — not a silver bullet. …  They can help get the information folks need to do better vulnerability management.”