DOD Portfolio Office Uses Zero Trust to Fill Gaps in Cybersecurity Strategy
Newly organized portfolio management office helps prioritize and align all zero trust efforts across DOD.
The Defense Department (DOD) is taking a step-by-step approach to zero trust with its Portfolio Management Office, which DOD OCIO established in January. The department expects to release a copy of this strategy with measurable outcomes in the next couple months, according to Randy Resnick, senior advisor of the Zero Trust Portfolio Management Office at DOD CIO/Cybersecurity.
DOD created the office after observing several opportunities in its cybersecurity strategy.
Resnick said money and resources had been thrown at cybersecurity for years, but ransomware attacks continued to happen. After experimenting with zero trust, DOD’s CIO office discovered not only could it significantly slow down the cyber incidents, but also it could have stopped them all together.
During FedInsider’s Action Steps to Zero Trust event, Resnick explained how the portfolio office will synchronize and bring all DOD cyber efforts together into a cohesive single “belly button” for the DOD CIO to make sense of what was happening with zero trust across the department.
“The office will keep everybody in sync so we’re not going to have this issue of non-interoperability and non-standard implementations of zero trust to prioritize and align all of the efforts in zero trust,” Resnick said. “We’re going to do this at an enterprise level. We believe the enterprise approach to zero trust is the answer for DOD rather than doing it project by project.”
Resnick described zero trust as a cybersecurity framework and a strategy, it’s not something you can buy. Implementing zero trust means creating a user inventory of who and what is allowed on the network.
“Each user and each device has to pass through two tests. They have to be authorized to get onto the network and have to be authenticated to get on the network — both have to happen. If one or the other doesn’t happen or fails, they aren’t allowed on the network,” Resnick said.
Resnick also discussed the difference between having the need to know and having the right to know when attempting to access data.
“Because just having the need to know doesn’t mean you have the right to know. You may have the need to know to get to a folder, but you may not have the right know to get into a specific file in that folder, so if you’re asking for access to a file both have to occur,” Resnick said.
Zero trust requires a list of checks, balances and tests throughout the entire process before granting data access.
“Once you sign out your session and you go back in five minutes later, the whole process continues from the beginning again. There is no assumption you are good for the day, you are only good for the session,” Resnick said. “Zero trust really tests the access rights to data, making sure the data is being protected from users that are not supposed to have any rights or access to that data.”
Resnick also discussed whether multi-factor authentication (MFA) will be a good component for zero trust in the future.
One concern with MFA is that it is only directed toward the user and completely ignores device security. Device security, such as software checks and patch updates, are critical to a robust cybersecurity strategy.
“The device has to be checked for hardware, firmware, software to make sure that nothing was modified or changed,” Resnick said. “The device has to be enrolled in the system to even know that it can get onto the system in the first place, otherwise you’re not allowed at all. It really is MFA connected to the big ‘yes’ for the device that will let you get onto the system. I’m a big proponent of MFA, but it has to come along with something else, otherwise you’re not really completing the picture here.”
DOD is working on a major plan that breaks down efforts across the zero-trust spectrum. Resnick wants the agency to break down all seven pillars of zero trust into actionable outcomes-based activity.
“We grouped each pillar into three chunks. We threw chunk one into fiscal 2023, we put chunk two into fiscal 2024 and put chunk three into fiscal 2025, and we felt it was a doable and achievable effort,” Resnick said. “So, we think we cracked the code on how to step through zero trust with measurable outcomes. It answers the question of where do I start? No one has been able to answer that question, and we believe we made great strides in trying to answer that question.”
A copy of this step-by-step process, which also measures desired outcomes, will be released in about six to eight weeks, he added.
“Staying under the present system we have today, I believe, is allowing the network to remain in a vulnerable state, and the faster we move to zero trust it becomes less vulnerable,” Resnick said.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
How AI Will Shape the Future of Cancer Care
Cutting-edge technology is transforming health care, with solutions like artificial intelligence helping agencies like the National Cancer Institute (NCI) improve screening, diagnosis and treatment.
3m watch -
Navy’s New Playbook, Enterprise Services Boost Tech Acquisition
The Department of the Navy is leading the charge in innovation, speeding up the federal acquisition process to improve tech adoption and remain competitive in the evolving tech landscape.
3m watch -
GenAI Remains Top Focus for Public Sector IT Leaders
Federal leaders say generative AI is showing promise for efficiency in multiple use cases and sectors, including cancer research.
5m read -
This Partnership is Tackling Federal Zero Trust, Cloud Security
Industry leaders share insights on the critical role industry partnerships have in enabling government agencies to navigate procurement challenges for cloud and zero trust solutions.
16m watch Partner Content