DOD Zero Trust Chief: ZT Implementation Requires Clearer Standards

The Defense Department Zero Trust Portfolio Management Office is developing new language to eliminate ambiguity in zero-trust implementation standards and protocols, Randy Resnick, director of the DOD Zero Trust Portfolio Management Office, said at AFCEA TechNet Cyber in Baltimore Tuesday.

“We wrote a [directive type memo], if it’s not out, it’s going to be out very, very soon,” Resnick said. “You will see language in it that makes it very clear what the portfolio office capabilities are and the power that we have over telling the department just how to do things in terms of policy deadlines and such. It also clearly outlines what… the agency’s roles and responsibilities are for zero trust.”

Resnick said that the his office will release the document within the next two months. The memo will define roles and responsibilities for zero trust in the department and eliminate “gaps” and “gray areas.”

As zero trust becomes standard for agencies like DOD, the change in posture is creating a knock-on effect for the country’s partners and allies as well. Resnick said that the department’s zero trust work inadvertently influenced other countries’ policies.

“Our allies are now following, thinking—plagiarizing — the way we do zero trust in the Department of Defense. You’ll see it within their documents,” he said. “Instead of the blood, sweat and tears of five years of ZT before the portfolio office started back at NSA, they jumped right to the solution and they accepted our hard work in the department, and they said, ‘This looks pretty good to us.’”

Though international partners might have reasons for not fully implementing the DOD zero-trust strategy, Resnick added, they take portions and develop it for their own use.

Despite this adoption, Resnick said there are still gaps in training that he hopes industry can fill.

“There’s a role for industry to play. Industry has all kinds of training and all kinds of other things in network security, cybersecurity, and yet I still see a little gap in zero trust,” Resnick said. “I’m encouraging industry not to stand by but to actually be aggressive here, and to actually come up with zero trust training. Because, I assure you, once the training exists, they’re not going to take all the online classes only from [Defense Acquisition University] and you’re going to have a ready market for zero-trust training at whatever level, from 101 to 401 on zero trust.”

According to Resnick, the Zero Trust Portfolio Management Office is using innovative techniques to improve zero trust across the agency. This includes what he called “purple teaming,” an exercise in which red and blue teams fight and shift with each other in attacking and defending systems within a simulated environment.

To Resnick, exercises like purple teaming are critical to getting everyone speaking the same language and understanding DOD requirements when it comes to zero trust and cybersecurity.

“Right now we see that there’s no repeatable process. This is a problem. We said in the past that we really don’t know how a component gets to zero trust just as long as they get to target, but it really didn’t address the DevSecOps part of what the vendors are doing in order to keep them in the spirit of the best  principles that we can think of, and have it done repeatedly so that when we go and Purple Team them, we have a higher assurance that has been designed correctly,” Resnick said.

While changing the culture surrounding zero trust is critical to the health of the department, Resnick said that an employed “permafrost” is likely to never fully embrace new cybersecurity principles. Waiting them out is more likely than shifting their workflow, he added.

“We have a bigger burden of figuring out how to explain zero trust and its fundamentals and to actually get through the culture inertia that exists in the department,” Resnick said. “The only people that push back are what I would call the middle layer, the permafrost, as we jokingly say, that is frozen in time. They feel threatened because they’re doing the old style of cybersecurity. I did it myself. I totally understand. But these people, if they haven’t learned now, they’re never going to learn. And so I truly believe it’s a generational thing. We’re going to have to wait until they retire out, and so you won’t see this problem in another 10 years.”