Navy’s Zero Trust Successes Pave the Way for ISV 2.0

Zero trust is critical to the deployment of the Department of the Navy’s updated information security vision (ISV), which aims to modernize the way the department fulfills its mission of equipping warfighters, DON’s Deputy CIO Barry Tanner said Tuesday at AFCEA West in San Diego, California.

“Zero trust is not a thing. It’s a way of doing business,” said Tanner. “And so we’ve learned a lot over the last four plus years about what it means to ‘be’ zero trust.”

Tanner and DON CIO Jane Rathbun said that ISV 2.0 builds on the first iteration, released in 2020, to counter changes in the cybersecurity environment like remote access, zero-trust goals and a changing workforce.

“In 1.0, we were focused on modernize, innovate and defend where data and workforce were supporting elements,” said Rathbun. “[The changes since 2020] taught us a whole lot about where we need to go.”

Tanner highlighted DON’s successes in zero-trust implementation, citing the Navy’s Flank Speed cloud service achieving 151 out of 152 security activities in a Nov. 2024 audit, but said DON needs to look to the future and the whole of ISV 2.0 to build on successes.

“We’ve been able to show how you do [zero-trust implementation] … So now it’s, how do we build on that?” Tanner said. “We have a mandate to meet the basic zero trust requirements by 2027. That is really fast, that’s really hard, … [but] the assessments that were done last year will help inform all of the networks and programs that have work to do on that.”

Collaboration across the department was key to DON’s success, Rathbun said.

“It was a group effort, team effort, with our industry partners and with our Cyber Command and with our PEOs and resource officers, all working together at the same time, not in a linear fashion, to drive fast and get this done,” said Rathbun.

Sharing cybersecurity successes will enable the military to better invest across the services, Rathbun said. Leaders need to continue to collaborate to advance cybersecurity standards and make technology, along with the military, more resilient, she noted.

“How can we optimize our cybersecurity capabilities and get the most out of them the least amount of money,” Rathbun said. “This is about getting leaders together, talking about what we’re doing today, what we need to be doing going forward in the future, putting plans together and talking about cybersecurity as an investment.”

Investing in the workforce will position DON to better serve the mission, Rathbun added. Part of DON’s mission is hiring, training and retaining the best and brightest cyber talent, she said.

“Our cyber workforce is a supporting pillar [to ISV 2.0], a supporting foundation. We want to do things differently to make sure that they’ve got the training that they need … and that we can retain them and move them into more responsible areas,” said Rathbun.

DON is transitioning from a compliance-focused to a readiness-focused approach to meet the Defense Department’s goal of zero-trust implementation by 2027, Tanner said.

“Cyber Ready is all about being ready all the time. [Old readiness assessments] are interesting. They tell you about a point in time. It does not tell you that you’re in [continuous] compliance,” Tanner explained. “We have demonstrated through the last couple of years of our zero-trust journey that this is what it looks like when you know what’s going on at every device, identity, network, the state of the devices on that network, the applications, the data. Every level, has to be looked at.”