High stakes as the Department of Defense adopts modern Zero Trust strategies
The 2021 Executive Order 14028 embraces Zero Trust as the desired model for Federal security and tasked agencies with modernizing cybersecurity programs, services, and capabilities to work with cloud-computing environments and utilize zero trust architectures (ZTA). In November of 2022, the initial DOD strategy and roadmap was published with a focus on interoperability. The new guidance spells out how the DOD plans to move beyond traditional network security methods to achieve reduced network attack surfaces, enable risk management and effective data-sharing in partnership environments, and contain and remediate adversary activities over the next five years.
According to Lieutenant General Robert Skinner:
Zero Trust is about a journey to be more secure no matter what systems you're leveraging.”
Forcepoint recently sponsored a GovExec TV dispatch from the Rocky Mountain Cyberspace Symposium 2023. In the interview top DOD leaders, including Lieutenant General Robert Skinner-Director of DISA Commander Joint Force Headquarters Department of Defense information network (DODIN)- and Colonel Jennifer Krolikowski -Chief Information Officer Space Systems Command- discussed the lessons learned and innovation happening as the DOD adopts Zero Trust. Here are some of the top takeaways from the discussion:
Increasing integrity and availability
One of the major challenges the DOD is facing as they transform is the need to centralize and standardize network security into regional architectures instead of locally distributed, non-standardized, architectures. These networks exist at different levels of maturity and different stages in their lifecycle at each military base, post, camp, or station. The DOD is attempting to use the Joint Regional Security Stack (JRSS) Program to enable DOD cyber defenders to continuously monitor and analyze the DODIN for increased situational awareness to minimize the effects of cyberattacks while ensuring the confidentiality, integrity, availability, and non-repudiation of data. DISA is the lead integrator for JRSS, and General Skinner discussed how DISA is working on several major programs to evolve DOD cybersecurity.
One example of a Joint Regional Security Stack that General Skinner gave was the Thunderdome project, which he discussed this as being the next substantiation of Zero Trust that DISA is offering to the Department of Defense agencies and combat commands to enable to leverage. He discussed how Thunderdome is bringing is a data centric environment with a network centric environment as leveraging ICAM identity (Identity Credential Access Management) to make sure that everyone has the right access.
General Skinner believes ICAM as a foundation because “if you don't have identity rights then an individual could have credentialed access to things they're not supposed to and so that makes an adversary's pop out with easier. But if you have strong identity, that means that for you, for example, we know enough about you that we know what you're authorized to have access to, we know what systems you are coming in from - whether it's the Internet or whether it's a government furnished piece of equipment” He suggests there are different risk tolerances knowing where you are coming from.
General Skinner discussed how the Joint Regional Security Stack (JRSS) Program requires secure access service edge (SASE) capabilities to enable security at the edge as well as requiring enterprise capabilities. Where the DOD and combat commands can leverage what DISA enables for their own environment- with the goal being interoperability. He believes leveraging the same contracts and same technologies will drive the DOD forward to a more holistic environment that is easier to defend and to operate.
General Skinner also discussed how the Joint Warfighting Cloud Capability (JWCC) awarded to Amazon Web Services Inc. (AWS), Google Support Services LLC, Microsoft Corporation, and Oracle have inherent Zero Trust capabilities built in. The General believes this to be the cloud component needed as you look at that the hybrid cloud broker, providing an opportunity to showcase to the DOD entities that whether they have a novice cloud environment or an expert cloud environment, the DOD has expertise to help navigate how to best enable a secure cloud.
Accelerating development cycles with security in mind
Before Colonel Krolikoski was CIO at Space Systems Command, she talked about her time at the Kobayashi Maru (KM) Program Cyber Coding Factory. Star Trek fans may recognize the Kobayashi Maru reference that refers to an unwinnable training simulation that was finally beaten when Captain Kirk hacked the system. The Kobayashi Maru organization is tasked with modernizing Space Domain Awareness (SDA) and Space C2 warfighter capabilities for the Combined Space Operations Center (CSpOC), 18th Space Control Squadron (SPCS), and National Space Defense Center (NSDC). She talked about how they were working to bring cybersecurity to the left – ensuring the code is as secure as possible and security is thought through all throughout the development cycle and not just thinking about core functionality. The net result is that they were actually able to accelerate production. She learned that by “working on that security all through the development, I'm not creating a bunch of tech debt at the end. So I was able to actually produce capability faster than the traditional way of waiting until the end to do it.”
The speed surprised people, when they focused on delivering and being secure. One of the focuses that enabled this within the program was the focus on how they engaged with users and their workflows early and often to ensure success. The communication between people developing and users helps ensure the requirements are met in a timely far.
Leading with this cybersecurity first mindset and thinking about availability and whole system functionality from all of the elements that are involved in the process is leading to success across programs Colonel Krolikoski leads today. She is taking these lessons learned and applying them to her thought process and the culture she is building as she attempts to adopt Zero Trust.
Security can’t be bolted on in DOD environments
One of the other concerns that Colonel Krolikoski expressed was the idea that many commercial companies are trying to be fast to market and often aren’t thinking about the rigor and the security required for DOD environments as they try to retrofit programs to meet FedRAMP requirements. She believes the lessons learned from the Kobayashi Maru Program, where security is developed from the beginning, should be applied to commercial companies who want to develop solutions to meet Federal requirements.
Watch the full interview to learn more about the DOD efforts to adopt Zero Trust. And download the latest whitepaper from Forcepoint to learn more about what agencies must consider when implementing Zero Trust.