How the Navy is Scaling Zero Trust With Flank Speed

Federal cyber leaders are expanding cloud-based enterprise services and extending zero-trust principles beyond traditional IT systems to operational technology.

“Adopting those cloud capabilities has been critical,” said Scott St. Pierre, director of Enterprise Networks and Cybersecurity at OPNAV N2N6D, during GovCIO Media & Research’s Federal Zero Trust Forum in Arlington, Virginia, Tuesday. “More importantly, they bring a measure of zero trust with them. Most cloud environments are already designed with zero trust in mind, which allows us to adopt what those providers have built.”

Moving to the cloud has also enabled the Navy to simplify its architecture by shifting toward enterprise services, St. Pierre added.

“[The cloud] allows us to shift to enterprise services. When we abstract away the hardware layers, the architecture actually becomes simpler,” he said. “That’s been a tremendous benefit for where we’re going and what we’re trying to do … getting to enterprise architectures and executing our Navy blueprint for a modern information ecosystem.”

Flank Speed as a Zero Trust Use Case

The Navy’s transition from the Common Virtualized Runtime/Environment (CVR) to the Microsoft-operated Flank Speed platform represents its most significant zero-trust initiative to date. Flank Speed emphasizes continuous verification, least-privilege access and micro segmentation, replacing legacy VPN-based access with identity-driven security for more than 470,000 users.

The service initially planned to move from CVR to Cloud 42. While Cloud 42 helped surface important lessons, it also presented its own limitations. As a result, the Navy pivoted to a greenfield cloud environment.

“We realized that Cloud 42 had its own challenges. There were lessons learned that were coming out of CVR, and working with DISA and the other services, [we decided] we wanted to get into a greenfield environment. So, we literally dropped what we were doing with Cloud 42, even though we had migrated some people over to it,” said St. Pierre.

Today, the Navy has implemented 151 of 152 zero-trust activities and principles across the Flank Speed environment.

Culture change has played a critical role in the Department of the Navy’s zero trust adoption, St. Pierre added.

“That evolution, technical and cultural, has been a big part of moving us in the right direction,” St. Pierre said. “We’ve been able to make some significant improvements.”

Matthew Shallbetter, director of civilian strategy at Armis, emphasized the importance of taking a systemic approach to zero-trust implementation.

“The main goal is to think systemically about the problem,” Shallbetter said. “You identify the gaps, invest there, and then bring in system auditors and leadership to agree on priorities and move toward enterprise solutions.”

The Navy aims to reach target-level zero trust maturity by the fourth quarter of fiscal year 2027.

“One thing that’s a saving grace is that we did the mapping between NIST 800-53 and the Zero Trust Activities and Principles. We know that if our teams are doing those activities, we have a step in the right direction … that’s part of the map,” St. Pierre said.

Applying Zero Trust to Operational Technology

Lou Eichenbaum, former CISO at the Interior Department, said zero trust principles must extend beyond IT systems to operational technology to prevent catastrophic attacks on critical infrastructure.

Operational technology is often assumed to be secure because it is air-gapped. However, in practice, few systems are fully isolated, Eichenbaum said.

“A simple compromise on a laptop could allow lateral movement to a critical controller,” he said. “The likelihood may be lower, but the impact is catastrophic. That’s why it comes down to risk management. How much are you willing to invest to ensure that doesn’t happen?”

The Department of the Navy has prioritized securing Facility-Related Control Systems (FRCS) because of the risks they pose to critical infrastructure.

“It allows us to sense that analog device behind the network,” St. Pierre said. “That’s how we begin applying zero trust to operational technology. As you modernize and move to IP networks, protecting OT in a common way helps operators understand what’s out there, reduces training burdens and improves visibility across tools and environments.”