New Zero Trust Overlays Codify DOD Cybersecurity Strategy

The Defense Department updated its zero trust overlays that standardize and clarify zero-trust implementation throughout the department. The new overlays are the culmination of an effort that began in the 2021 White House cybersecurity executive order.  

The new overlays also phase in zero-trust controls and conduct a gap analysis to help the agency reach its target goals, according to Will Schmitt, division chief at the DOD Zero Trust Portfolio Management Office.

“Zero trust is a data-centric strategy for security,” Schmitt said in an agency statement. “You’re protecting the data itself. You’re moving that protection boundary from the perimeter right down to what’s critical to be protected, and what that means is that everybody has to be authorized and authenticated to access that piece of information.” 

Randy Resnick, chief zero trust officer for DOD’s Zero Trust Portfolio Management Office, said at AFCEA TechNet Cyber last month that “the existing overlay controls weren’t good enough to describe zero trust, so what you’ll find in that document is a mapping of controls to activities. We did the hard work here, where we now have controls that describe zero trust at the target and advanced level mapping back to the activities.”

The overlays consist of a number of pillars — user, device, data, application and workload, network and environment, automation and orchestration, visibility and analytics — that underpin the agency’s zero-trust posture. Additionally, five tenets serve as the foundation of the DOD zero-trust implementation: assume a hostile environment, presume breach, never trust, always verify, scrutinize explicitly and apply unified analytics.

“The overlays are giving the ability to quickly determine that 70% to 90% of the controls are in place so we can be confident as we operate that the machine’s checked it, the systems checked it, we’re using the best practices, and we don’t have to go in and manually check everything because that’s going to slow us down,” George Lamb, director of cloud and software modernization at DOD, told GovCIO Media & Research.

Les Call, director of the DOD’s Zero Trust Portfolio Management Office, said in an agency video that zero trust is “like having locks, not just on the external front door, back door, windows, but on all your doors outside and inside, so once the intruder gets in your home, they still can’t go anywhere unless they’re authenticated to move from one room into the other room.” 

Call emphasized that system owners are likely already implementing many of the zero-trust controls the department mandates, but some might still need to align themselves with the department’s new standards. 

By fiscal year 2027, the department plans to reach “target level” implementation, which consists of implementing at least 91 out of 152 target activities listed in the 2022 DOD’s Zero Trust Strategy and Roadmap.  

“The zero-trust overlays are another tool in the department’s toolbox supporting components’ execution by providing clear guidance on which controls facilitate specific zero trust activities and outcomes,” said David McKeown, deputy CIO for cybersecurity and chief information security officer at DOD, in a June statement.