The Pentagon is expected to release a new assessment to evaluate and approve zero trust standards in early 2025. This new initiative, which Les Call — director of the DOD’s Zero Trust Portfolio Management Office — said in September was nearly finished — will complement the DOD’s goal to reach a 2027 deadline for zero trust implementation across the department.
Ahead of that strategy’s release, DOD components and departments, big and small, are taking inventory of where they are in the process and what challenges they might face moving forward. Like any other mammoth organization, different parts are in various places, both technologically and culturally.
While the focus over the last year has been on planning and ideation, IT teams in every department must start moving toward actual implementation. That takes a combination of technical strategy and a shift in mindset. While this step might be anxiety-inducing for some smaller agencies within the DOD, it doesn’t need to be.
Lead by Example
How do DOD departments, a bit farther behind in their journey, understand what’s ahead? It’s best to look at those around you who have already traversed some of these challenges and paved the way forward.
For example, the Air Force released the newest iteration of its Zero Trust roadmap on October 7 and outlined how it plans to tackle what I’d call both an ambitious and thoughtful strategy.
One foundational step the Air Force is taking that everyone could follow is ensuring a shift in mindset from a network-centric cybersecurity model to a data-centric one. That approach prioritizes data security rather than just securing the network on which it travels.
In this way, the Air Force is looking inward to the sensitive items within its environment, classifying them as such and applying controls to the data itself regardless of its location. This information could be deployments, user information, weapons systems, or any number of other sensitive datasets, but it must be properly labeled and have security controls attached to those labels.
The Air Force has also taken more advanced steps from which other small departments can learn. For example, they’ve increased the use of micro-segmentation. This strategy feeds well into the zero-trust mindset that protecting data is paramount. Micro-segmentation is a security method that isolates data that flows into smaller, more secure zones. This enables IT administrators to gain more granular control over applications and workloads.
This gateway authenticates users and devices and monitors behavior while applying security measures to detect or prevent unauthorized activity.
The Human Element
The technical side of the equation is only part of the equation when it comes to the implementation stage of the DOD’s zero-trust strategy. A cultural aspect could make or break an organization’s ability to implement this process.
While some corners of the Pentagon have been known to embrace the cutting edge of technology, like the Navy with its Flank Speed service, some are hesitant to make changes. Not meeting combat mission objectives for some departments results in worse consequences than not meeting zero trust goals. Rightfully, when the situation is life or death, these leaders must be certain that new technology will not fail them or become an obstacle to completing the mission.
One way to do this is by demonstrating that zero trust isn’t just about securing DOD data; it’s ultimately a significant part of the larger goal of realizing better and more consistent mission outcomes. This key message should constantly be reinforced among military members and civilian employees regardless of their technical skill or place on an organizational chart.
Beyond that, use cases like those of the Air Force and the Navy should be closely examined. Help department leaders understand that zero trust is a legitimate security architecture that mission-focused organizations already use. This will help those who are skeptical better understand both the broad process and their role in making it work. By building institutional knowledge and raising the comfort level, DOD departments will have a much easier time implementing zero-trust strategies.
As a Marine Corps veteran, I see how DOD is one of the few organizations where top-down leadership works. Leaders enforce these cultural shifts to a zero-trust mindset and encourage everyone in their units to prioritize this along with the mission. In many ways, this mindset is already applied to kinetic operations and everyday standards; it just needs to permeate cyberspace.
I’m not saying this implementation phase will be easy, but it doesn’t have to be complicated. While almost every organization will have a different portfolio of tools and procedures to implement zero trust, you can still look to those doing well already and find commonalities to implement and accelerate your strategy. And don’t forget that the concerns of those resistant to this change are valid, as everyone at the DOD is ultimately focused on the mission. We must remind them that zero trust is a mission enabler, not a roadblock.
