Its adversaries’ capabilities, Department of Defense (DoD) CIO John Sherman says, are forcing the department to adopt the “ambitious goal” of deploying zero trust principles across all of its 33 units by 2027.
Commonly called the world’s largest employer, the DoD is made up of over 2.91 million service members and civilians active at 4,800 sites in more than 160 countries. That makes it one of the most ambitious zero trust transitions to date. Given the sensitivity of its mission, the importance of its intelligence assets, and the certainty of it being targeted by America’s enemies, it’s also a loud-and-clear endorsement of the security and networking benefits of zero trust as a philosophy.
With the White House Executive Order conferring the U.S. endorsement of zero trust principles from the very top, it now falls to the DoD to implement this vision. To do so, the department should stick to a few practices that could help make the rollout smooth and successful.
Remember the fundamentals of change leadership
Unit heads must identify zero trust champions to charge with promoting this initiative. An advocate from each unit could act as an emissary to a department-wide steering committee that establishes cohesive messaging about the “what” and the “why” of zero trust. Committee members would then return to their respective agencies to report on progress, share learnings from their peers, and advise on overcoming stumbling blocks. It would fall to these individuals to defend the roadmap from doubters while voicing legitimate concerns to the broader group.
Leadership must err toward overcommunication throughout the process. Just like nature abhors a vacuum, organizations won’t tolerate information vacuums. If they are not filled with fact-based messaging, misinformation and spin will take their place. Agencies should cater to different learning styles to make sure messaging sticks. It’s widely held in marketing circles that an audience needs to hear a message at least seven times before it sticks. The DoD should embrace this principle in the form of slide decks, illustrations, videos, white papers, and other learning tools.
Finally on this point, DoD heads should recognize and preserve the cultural differences between agencies. There will likely be slight differences in approach between, say, the Department of the Army and the Department of the Air Force. As a result of their unique pressures, mandates, and makeups, they will have spawned their own security cultures. By all means, agencies should share lessons where they do overlap, but each must embark on its own journey to zero trust.
Recognize zero trust for what it is. And what it isn’t.
Zero trust is an ecosystem, not a single solution. It’s not a box to plug in, turn on, and let whirl away. The DoD’s approach will require new metrics, policies, and reporting. Its implementation will require fine-tuning, and maybe even scrapping and starting over in some disciplines. Endpoint security, identity and access management, CASB, data loss prevention – all of these are aspects of zero trust that must be adhered to in order to capitalize on the full security benefits of the philosophy.
To its credit, it seems like DoD fully understands this by teasing a plan based on 45 capabilities and 90 activities. “No vendor can achieve all 90 of the activities within their own product line," Sherman told the Federal News Network. That’s certainly correct, and the DoD will have to be careful in choosing its partners. Public-private partnerships will be required but constrained by new, stringent software supply chain disclosure requirements. This is surely a significant challenge that will need to be overcome.
Sherman rightly goes on to mention other elements not technically included in but tangential to zero trust – policy updates, the need to hire new staff and upskill existing professionals, training on new security systems, etc. Without addressing these related IT issues, a zero trust transition is bound to be bumpy.
(For a more comprehensive definition of what zero trust is and isn’t as well as the Zscaler approach, consult this series.)
Don’t swallow the elephant whole
Start with one bite. Reportedly, the DoD is planning to run pilot programs within chosen agencies before implementing its plan department-wide. This is a sensible strategy, but it’s also important to realize that zero trust itself can also be implemented in phases. It’s advisable to begin with user-to-workload segmentation and add capabilities from there. Expecting to roll out a mature zero trust program with the flip of a switch is like starting school by aiming for your Ph.D., as Zscaler CEO Jay Chaudhry likes to point out.
Like any organization, the DoD will be faced with the challenge of locking down seven aspects of its defense:
- Users
- Devices
- Networks & environments
- Applications
- Data
- Visibility & analytics
- Automation & orchestration
Some of these elements will be secured with overtly zero trust technologies. Others with related or complementary solutions. But to begin, it’s up to the DoD to identify gaps or shortcomings in these areas and address them each in turn.
An example for the rest of us
The DoD has a clear opportunity to show the rest of the federal government a comprehensive roadmap for implementing zero trust. As the largest U.S. department and one of the largest organizations worldwide, few other institutions will encounter the same complexities or higher hurdles. The legacy technical debt it means to shed is likely substantial.
The mission-critical nature of the department’s IT systems and its confidence in the zero trust model should influence adjacent agencies to adopt a similar transition roadmap. The plan it settles on could well trickle down to inform other state and local governments. I believe that the DoD’s timeline is conservative, but given the importance of getting it right – both for the sake of Americans’ safety and in influencing other agencies – that’s understandable.
Once the roadmap is revealed this October, it will come time to execute.
What to read next
One nation under zero trust: sizing up the OMB’s cybersecurity memorandum [podcast]
Fed agencies must empower CISOs as clock ticks to designate zero trust leads